Actions
Feature #8221
openhttp: header handling should treat duplicates as multi-buffer, not concat
Effort:
high
Difficulty:
low
Label:
Description
When encountering duplicate headers they are concatenated:
Host: abc\r\n Host: def\r\n
Is stored internally as
Host: abc, def\r\n
This behavior comes from libhtp and has existed in it since the earliest versions. IIRC this tracks how Apache is/was doing it, so from that perspective it makes sense as a normalization.
However in rule writing this leads to lots of issues, see for example #7754 and #6779.
So I would like to get rid of it. From the detection side, I think these rules should both match:
alert http ... http.host; content:"abc"; bsize:3; ... alert http ... http.host; content:"def"; bsize:3; ...
So this would turn these header keywords into multi-buffer keywords.
Perhaps a new transfom "concat" could be used to trigger the old behavior:
alert http ... http.host; concat:", "; content:"abc, def"; bsize:8; ...
This "concat" transform would take all buffers from a multi-buffer and flatten it to a single buffer.
Updated by Victor Julien 5 days ago
- Related to Bug #7754: http.host and http.host.raw contain the same Host header value twice, with a delimiter added
Updated by Victor Julien 5 days ago
- Related to Feature #6779: http.header_names behavior when encountering duplicate header names added
Updated by Victor Julien 5 days ago
- Related to Feature #6925: multi-buffer support for HTTP cookies added
Updated by Victor Julien 5 days ago
- Related to Documentation #6781: http: document duplicate headers concatenation handling added
Actions