Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP/1.1 Implementations by Differential Fuzzing of Request Streams

Ben Kallus, Prashant Anantharaman, Michael Locasto, Sean W. Smith

TL;DR

The paper tackles HTTP/1.1 parsing discrepancies that enable attacks when requests traverse chains of origin servers and transducers. It introduces the HTTP Garden, a differential, coverage-guided fuzzer with a REPL, designed to reveal exploitable parsing discrepancies by jointly analyzing origin servers and intermediaries; it formalizes discrepancy meaningfulness and durability and demonstrates the discovery of 122 unique issues, with 68 patched and 39 exploitable, across a broad ecosystem. The study defines a symmetric $n \times n$ boolean discrepancy matrix $M(I)$ to map inputs to cross-server disagreements and leverages the fine path $\delta$-diversity for mutation control, yielding a practical framework for rapid payload development into real exploits. The work provides public tools to researchers, highlights concrete vulnerability categories (integer, chunk, field-line, and field-value parsing; DoS), and discusses implications for standards and future directions, including potential mitigations via end-to-end HTTP/2/3 and protocol deprecation of dangerous constructs.

Abstract

HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Previous techniques for discovering HTTP parsing discrepancies have focused on blackbox differential testing of HTTP gateway servers, despite evidence that the most significant parsing anomalies occur within origin servers. While these techniques can detect some vulnerabilities, not all parsing discrepancy-related vulnerabilities are detectable by examining a gateway server's output alone. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. It also includes a coverage-guided differential fuzzer for HTTP/1.1 origin servers that is capable of mutating all components of a request stream, paired with an interactive REPL that facilitates the automatic discovery of meaningful HTTP parsing discrepancies and the rapid development of those discrepancies into attack payloads. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports. We designate 39 of these to be exploitable. We release the HTTP Garden to the public on GitHub under a free software license to allow researchers to further explore new parser discrepancy-based attacks against HTTP/1.1 servers.

The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP/1.1 Implementations by Differential Fuzzing of Request Streams

TL;DR

The paper tackles HTTP/1.1 parsing discrepancies that enable attacks when requests traverse chains of origin servers and transducers. It introduces the HTTP Garden, a differential, coverage-guided fuzzer with a REPL, designed to reveal exploitable parsing discrepancies by jointly analyzing origin servers and intermediaries; it formalizes discrepancy meaningfulness and durability and demonstrates the discovery of 122 unique issues, with 68 patched and 39 exploitable, across a broad ecosystem. The study defines a symmetric boolean discrepancy matrix to map inputs to cross-server disagreements and leverages the fine path -diversity for mutation control, yielding a practical framework for rapid payload development into real exploits. The work provides public tools to researchers, highlights concrete vulnerability categories (integer, chunk, field-line, and field-value parsing; DoS), and discusses implications for standards and future directions, including potential mitigations via end-to-end HTTP/2/3 and protocol deprecation of dangerous constructs.

Abstract

HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Previous techniques for discovering HTTP parsing discrepancies have focused on blackbox differential testing of HTTP gateway servers, despite evidence that the most significant parsing anomalies occur within origin servers. While these techniques can detect some vulnerabilities, not all parsing discrepancy-related vulnerabilities are detectable by examining a gateway server's output alone. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. It also includes a coverage-guided differential fuzzer for HTTP/1.1 origin servers that is capable of mutating all components of a request stream, paired with an interactive REPL that facilitates the automatic discovery of meaningful HTTP parsing discrepancies and the rapid development of those discrepancies into attack payloads. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports. We designate 39 of these to be exploitable. We release the HTTP Garden to the public on GitHub under a free software license to allow researchers to further explore new parser discrepancy-based attacks against HTTP/1.1 servers.
Paper Structure (36 sections, 8 figures, 2 tables)

This paper contains 36 sections, 8 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. HTTP/1.1
  4. HTTP Server Classes
  5. Connection Reuse
  6. Message Format
  7. HTTP Request Smuggling
  8. CPDoS
  9. Related Work
  10. T-Reqs and FRAMESHIFTER
  11. HDiff
  12. Differential Testing
  13. HTTP Garden
  14. Echo Servers.
  15. Coverage-Guided Differential Fuzzing
  16. ...and 21 more sections

Figures (8)

  • Figure 1: The flow of requests between a client and an origin server
  • Figure 2: The flow of requests between a client and a gateway server
  • Figure 3: The flow of requests between a client and a cache server. The dotted line represents the fact that not all requests received by the cache are forwarded to its backing server.
  • Figure 4: The two techniques for reusing HTTP/1.1 connections
  • Figure 5: A request being routed through a transducer and echo server.
  • ...and 3 more figures