Host of Troubles - Multiple Host Ambiguities in HTTP Implementations
Association for Computing Machinery (ACM) via YouTube
Earn a Michigan Engineering AI Certificate — Stay Ahead of the AI Revolution
AI Engineer - Learn how to integrate AI into software applications
Overview
Syllabus
Intro
Multiparty interactions in current Internet
Previous works about ambiguity
How HTTP requests are processed
Host - A critical HTTP field
Technique 1: Multiple Host header
How do implementations handle requests with multiple Host header?
How implementations handle requests with space-surrounded Host Header?
Absolute-URI as request-target
How do different implementations handle absolute-URI?
Attacks exploiting host ambiguity
Cache poisoning Co- hosting website
Cache poisoning Co-CDN website
Cache poisoning any HTTP website CVE-2016-4553
Firewall bypass
WAF bypass
How Prevalent are Upstream/Downstream vulnerabilities?
Outline
Measurement set up
Execution of test cases
Measurement results
Mitigation
A test in my phone's network
Discussion
Taught by
ACM CCS