Actions
Bug #7925
openhttp: dissection anomaly on repeated 'Vary' headers
Description
During last weekend attack-defense CTF, I captured the following exchange between a Python Requests client and a Java Spring Boot server:
POST /login HTTP/1.1 Host: 10.41.17.2:8080 User-Agent: python-requests/2.32.5 Accept-Encoding: gzip, deflate Accept: */* Connection: keep-alive Content-Length: 79 Content-Type: application/x-www-form-urlencoded email=REDACTED&password=a HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Set-Cookie: sessionId=REDACTED==; Path=/; Max-Age=86400; Expires=Mon, 15 Sep 2025 12:54:28 GMT; HttpOnly Content-Type: application/json Transfer-Encoding: chunked Date: Sun, 14 Sep 2025 12:54:28 GMT Keep-Alive: timeout=60 Connection: keep-alive 20 {"id":2921,"email":"i31u0frXnV"} 0
Suricata generates the following anomaly:
{"app_proto":"http","type":"applayer","event":"RESPONSE_HEADER_REPETITION","layer":"proto_parser"}
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary, it seems that the header can be repeated.
Maybe this shouldn't be considered as a dissection anomaly?
No data to display
Actions