July 2013

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Dubious HTTP III - Playing With Content-Length

The Content-Length header describes the size of the content, so there should be at most one. But what happens, when multiple Content-length headers get sent?

To determine the behavior of the browsers I tested with:

To evaluate the behavior of intermediate systems I let virustotal.com (2013/7/10) check some URLs with dubious content-legth and checked against the HTTP proxy squid 3.2.1. I also looked at the source code of common IDS:

To reproduce the results you might point your browser to my test site or set up your own using my test suite.

Sending same Content-Length twice

While there shouldn't be any unclear interpretation it looks like Suricata simply joins all headers of the same name separated by a comma and then tries to extract the digits. This fails because there is also a comma in the string, so Suricate complains and does not analyze content further.

Snort complains about the duplicate header and continues as if no content-length header was given.

All others use the given content-length.

Sending contradicting Content-Length headers

The behavior for different Content-Length headers varies a lot between the systems:

Sending less data than promised by Content-length

While Chrome complains about the problem, all others just use the received data.

Conclusion

Yet again it is easy for an attacker, who manages its own web server, to bypass security systems by using content-length for dubious HTTP responses.

Corrections, Updates...