HTTP协议语义不一致问题研究及测试

doi:10.19678/j.issn.1000-3428.0070741

摘要/Abstract

摘要： HTTP协议作为互联网通信的核心基础设施，其现代通信模型依赖多服务器协同工作。若处理链中的服务器未严格遵循协议规范或存在语义解释差异，将引发系统性特征的语义不一致问题，导致访问控制绕过、多Host问题、请求走私及缓存污染等安全威胁。差分模糊测试通过观测不同服务器对报文处理结果的差异，分析语义不一致问题。为了解决现有工具中字段集合范围失准、突变效率低、观测维度单一的问题，提出了一种改进的差分模糊测试方法。首先，基于关键首部的报文构建方法，筛选核心字段精简测试空间；基于字段语义的突变方法，结合语义分类与漏洞特征设计突变方法，丰富测试用例；扩展的报文分析方法，扩展报文分析范围至请求和响应报文，完整地观测通信过程，覆盖现有语义不一致问题的场景。最后，针对常用的7款服务器进行测试，分析发现18类服务器处理差异问题并验证出9对存在语义不一致问题的组合。相比同类工具t-reqs，将测试集合规模降低一个数量级，平均提升12.67%的有效测试用例占比，在同样的观测角度下额外发现2类新的差异问题，扩展测试范围覆盖当前语义不一致问题的四类场景。

Abstract: HTTP protocol is the core infrastructure of Internet communication, and its modern communication model relies on the collaboration of multiple servers. If the servers in the processing chain do not strictly follow the protocol specifications or have differences in semantic interpretation, it will cause semantic inconsistency problems of systemic characteristics, leading to security threats such as access control bypass, multi-host problems, request smuggling and cache pollution. Differential fuzz testing analyzes semantic inconsistency problems by observing the differences in message processing results of different servers. In order to solve the problems of inaccurate field set range, low mutation efficiency and single observation dimension in existing tools, an improved differential fuzz testing method is proposed. First, based on the message construction method of key headers, the core fields are selected to simplify the test space; based on the mutation method of field semantics, the mutation method is designed by combining semantic classification and vulnerability characteristics to enrich test cases; the extended message analysis method expands the message analysis scope to request and response messages, fully observes the communication process, and covers the existing scenarios of semantic inconsistency problems. Finally, tests are conducted on 7 commonly used servers, and 18 types of server processing differences are found and 9 pairs of combinations with semantic inconsistency problems are verified. Compared with similar tools such as t-reqs, it reduces the size of the test set by an order of magnitude, increases the average proportion of valid test cases by 12.67%, discovers two additional types of difference problems from the same observation angle, and expands the test scope to cover four scenarios of current semantic inconsistency problems.

李丹波, 颜学雄, 毛恩辉. HTTP协议语义不一致问题研究及测试[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0070741.

Li Danbo, Yan Xuexiong, Mao Enhui. Research and Testing on Semantic Inconsistency of HTTP Protocol[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0070741.

参考文献

[1] HTTP[EB/OL]. [2024-12-12]. https://en.wikipedia.org/wiki/HTTP
[2] RFC[EB/OL]. [2024-12-18]. https://en.wikipedia.org/wiki/Request_for_Comments
[3] Shen K, Lu J, Yang Y, et al. Hdiff: A semi-automatic framework for discovering semantic gap attack in http impleme ntations[C]//2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2022: 1-13.
[4] Rafael da Costa Santos. Exploiting HTTP Parsers Inconsistencies[EB/OL]. [2023-06-18]. https://rafa.hashnode.dev/exploiti ng-http-parsers-inconsistencies
[5] Chen J, Jiang J, Duan H, et al. Host of troubles: Multiple host ambiguities in http implementations[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 2016: 1516-1527.
[6] CHAIM LINHART, AMIT KLEIN, RONEN HELED. HTTP REQUEST SMUGGLING[EB/OL]. [2015-08]. https://www. cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
[7] Nguyen H V, Iacono L L, Federrath H. Your cache has fallen: Cache-poisoned denial-of-service attack[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 1915-1936.
[8] 姜亚光, 陈曦, 李建彬, 闫靖晨, 刘曙元, 李坤昌. 基于 LSTM 的 S7 协议模糊测试用例生成方法[J]. 计算机工程, 2021, 4 7(7): 183-188. JIANG Yaguang, CHEN Xi, LI Jianbin, YAN Jingchen, LIU Shuyuan, LI Kunchang. LSTM-based Fuzzy Test Case Ge neration Method for S7 Protocol[J]. Computer Engineering, 2021, 47(7): 183-188.
[9] James 'albinowax' Kettle, PortSwigger. HTTP-Request-Smuggler[EB/OL]. [2023-11-16]. https://portswigger.net/bappstore/aa aa60ef945341e8a450217a54a11646
[10] devploit. nomore403[EB/OL]. [2024-03-19]. https://github.com/devploit/nomore403
[11] regilero. HTTPWookiee[EB/OL]. [2017-05-26]. https://github.com/regilero/HTTPWookiee
[12] 刘华玉, 甘水滔, 尹小康, 柳晓龙, 刘胜利, 李宏亮. 一种基于协议格式智能推断的灰盒测试技术[J]. 计算机工程, 2023, 49(12): 129-135, 145.
Huayu LIU, Shuitao GAN, Xiaokang YIN, Xiaolong LIU, Shengli LIU, Hongliang LI. A Gray-box Test Technology B ased on Intelligent Inference of Protocol Format[J]. Computer Engineering, 2023, 49(12): 129-135, 145.
[13] 卢凌, 周志德, 任志磊, 江贺. 面向 JavaScript 引擎报错机制的类别导向模糊测试方法[J]. 计算机科学, 2023, 50(12): 49- 57. https://doi.org/10.11896/jsjkx.221200166 LU Ling, ZHOU Zhide, REN Zhilei, JIANG He. Category-directed Fuzzing Test Method for Error Reporting Mechanis m in JavaScript Engines[J]. Computer Science, 2023, 50(12): 49-57. https://doi.org/10.11896/jsjkx.221200166
[14] Zheng L, Li X, Wang C, et al. REQSMINER: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing[J]. 2024.
[15] Jabiyev B, Sprecher S, Onarlioglu K, et al. T-reqs: Http request smuggling with differential fuzzing[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021: 1805-1820.
[16] Jabiyev B, Gavazzi A, Onarlioglu K, et al. Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepanci es[C]//Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses. 2024: 235-24 7.
[17] Common Gateway Interface[EB/OL]. [2024-12-02]. Interfacehttps://en.wikipedia.org/wiki/Common_Gateway_Interface
[18] Kettle J. Http desync attacks: Smashing into the cell next door[J]. Black Hat USA, 2019.
[19] Klein A. Http request smuggling in 2020–new variants, new defenses and new challenges[J]. Black Hat USA, 2020.
[20] Fielding R, Gettys J, Mogul J, et al. RFC2616: Hypertext Transfer Protocol--HTTP/1.1[J]. 1999.
[21] RFC 9110: HTTP Semantics[J]. 2022.
[23] Regilero. Security: HTTP Smuggling, Jetty[EB/OL]. (2019-04-24)[2024-12-02]. https://regilero.github.io/english/security/20 19/04/24/security_jetty_http_smuggling/
[24] OWASP. Path_Traversal[EB/OL]. [2024-04-19]. https://github.com/OWASP/www-community/blob/master/pages/attacks/Path _Traversal.md
[25] Li W, Shen K, Guo R, et al. Cdn backfired: Amplification attacks based on http range requests[C]//2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2020: 14-25.
[26] 0xn3va. Abusing HTTP hop-by-hop Request Headers[EB/OL]. [2023-12-20]. https://0xn3va.gitbook.io/cheat-sheets/web-ap plication/abusing-http-hop-by-hop-request-headerson Software Quality, Reliability and Security (QRS). IEEE, 2021: 93-101.
[27] HTTP range requests[EB/OL]. [2024-09-26]. https://developer.mozilla.org/en-US/docs/Web/HTTP/Range_requests
[28] Fielding, R, Nottingham M, Reschke J, et al. RFC 9111: HTTP Caching[J]. 2022.
[29] bahruzjabiyev. t-reqs[EB/OL]. [2024-10-30]. https://github.com/bahruzjabiyev/t-reqs
[30] mo-xiaoxi. HDiff[EB/OL]. (2022-06-07)[2024-07-09]. https://github.com/mo-xiaoxi/HDiff
[31] bahruzjabiyev. gudifu-fuzzer[EB/OL]. [2024-04-11]. https://github.com/bahruzjabiyev/gudifu-fuzzer
[32] Gadient P, Nierstrasz O, Ghafari M. Security header fields in http clients[

选择文件类型/文献管理软件名称

选择包含的内容