YoVDO

Host of Troubles - Multiple Host Ambiguities in HTTP Implementations

Offered By: Association for Computing Machinery (ACM) via YouTube

Tags

ACM CCS (Computer and Communications Security) Courses Network Security Courses Computer Security Courses Cache Poisoning Courses

Course Description

Overview

Explore a conference talk from CCS 2016 examining multiple host ambiguities in HTTP implementations. Delve into the intricacies of multiparty interactions in the current Internet, focusing on the critical HTTP Host field. Learn about techniques like multiple Host headers and absolute-URI as request-target, and how different implementations handle these scenarios. Discover potential attacks exploiting host ambiguity, including cache poisoning and firewall bypass. Examine the prevalence of upstream/downstream vulnerabilities through measurement results and discuss mitigation strategies. Gain insights from authors representing Tsinghua University, University of California, Berkeley, International Computer Science Institute, and Huawei Canada as they present their findings on this crucial aspect of web security.

Syllabus

Intro
Multiparty interactions in current Internet
Previous works about ambiguity
How HTTP requests are processed
Host - A critical HTTP field
Technique 1: Multiple Host header
How do implementations handle requests with multiple Host header?
How implementations handle requests with space-surrounded Host Header?
Absolute-URI as request-target
How do different implementations handle absolute-URI?
Attacks exploiting host ambiguity
Cache poisoning Co- hosting website
Cache poisoning Co-CDN website
Cache poisoning any HTTP website CVE-2016-4553
Firewall bypass
WAF bypass
How Prevalent are Upstream/Downstream vulnerabilities?
Outline
Measurement set up
Execution of test cases
Measurement results
Mitigation
A test in my phone's network
Discussion


Taught by

ACM CCS

Related Courses

Peeling the Onion's User Experience Layer - Examining Naturalistic Use of the Tor Browser
Association for Computing Machinery (ACM) via YouTube DeepCorr - Strong Flow Correlation Attacks on Tor Using Deep Learning
Association for Computing Machinery (ACM) via YouTube SandScout - Automatic Detection of Flaws in iOS Sandbox Profiles
Association for Computing Machinery (ACM) via YouTube Game of Decoys - Optimal Decoy Routing Through Game Theory
Association for Computing Machinery (ACM) via YouTube PREDATOR - Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration
Association for Computing Machinery (ACM) via YouTube