Project

General

Profile

Actions
Copy link

Bug #7925

open

http: dissection anomaly on repeated 'Vary' headers

Added by A. IOOSS about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
8.0.0, 8.0.1
Effort:
Difficulty:
Label:

Description

During last weekend attack-defense CTF, I captured the following exchange between a Python Requests client and a Java Spring Boot server:

POST /login HTTP/1.1
Host: 10.41.17.2:8080
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 79
Content-Type: application/x-www-form-urlencoded

email=REDACTED&password=a

HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: sessionId=REDACTED==; Path=/; Max-Age=86400; Expires=Mon, 15 Sep 2025 12:54:28 GMT; HttpOnly
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sun, 14 Sep 2025 12:54:28 GMT
Keep-Alive: timeout=60
Connection: keep-alive

20
{"id":2921,"email":"i31u0frXnV"}
0

Suricata generates the following anomaly: 

{"app_proto":"http","type":"applayer","event":"RESPONSE_HEADER_REPETITION","layer":"proto_parser"}

According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary, it seems that the header can be repeated.
Maybe this shouldn't be considered as a dissection anomaly?

No data to display

Actions
Copy link

Also available in: Atom PDF