Actions
Bug #7925
openhttp: dissection anomaly on repeated 'Vary' headers
Description
During last weekend attack-defense CTF, I captured the following exchange between a Python Requests client and a Java Spring Boot server:
POST /login HTTP/1.1
Host: 10.41.17.2:8080
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 79
Content-Type: application/x-www-form-urlencoded
email=REDACTED&password=a
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: sessionId=REDACTED==; Path=/; Max-Age=86400; Expires=Mon, 15 Sep 2025 12:54:28 GMT; HttpOnly
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sun, 14 Sep 2025 12:54:28 GMT
Keep-Alive: timeout=60
Connection: keep-alive
20
{"id":2921,"email":"i31u0frXnV"}
0
	Suricata generates the following anomaly: 
{"app_proto":"http","type":"applayer","event":"RESPONSE_HEADER_REPETITION","layer":"proto_parser"}
	According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary, it seems that the header can be repeated.
Maybe this shouldn't be considered as a dissection anomaly?
No data to display
Actions