Introduction to HTTP Misconfigurations

With billions of devices relying on it every day, HTTP is one of the most utilized protocols on the Internet. Today, web application security constitutes one the most vital parts of Cyber Security, as it is important to not only look at a web application discretely, but rather holistically in a real-world deployment which includes systems such as web servers and web caches that introduce additional complexity and therefore attack surface.

In this module, we will cover three HTTP attacks that are common in modern web applications. We will discuss these attacks in detail, including how to detect, exploit, and prevent these types of attacks.

Web services that are used by many users utilize web caches to improve performance by reducing the load on the web server. Web caches sit between the client and the web server. They store resources locally after obtaining them from the web server, such that they can serve them from local storage if the same resource is requested again. Thus, the resources do not need to be requested from the web server, reducing the load on the web server. Vulnerabilities that can arise when web servers utilize web caches will be discussed in this module.

The HTTP Host header is present in any HTTP request since HTTP/1.1. It specifies the hostname and potentially the port of the server to which the request is being sent. When web servers host multiple web applications, the host header is used to determine which web application is targeted by the request and the response is served accordingly. In this module, we will discuss vulnerabilities that can arise from improper handling of the host header in the web application.

Since HTTP is a stateless protocol, sessions are required to provide context for requests. For instance, HTTP sessions are used to perform authenticated actions without having to send credentials in every request. The web application typically identifies the user by their session ID, which the user provides in a session cookie in most cases. On the server side, information about the user is stored in the session variables associated with the corresponding session ID. The last part of this module focuses on vulnerabilities that result from improper handling of session variables.

HTTP Attacks

Web Cache Poisoning

The first HTTP attack discussed in this module is Web Cache Poisoning. This attack exploits misconfigurations in web caches in combination with other vulnerabilities in the underlying web application to target unknowing users. Depending on the specific vulnerability, it might be sufficient for a victim to simply access the targeted website to be exploited. Web cache poisoning can also lead to otherwise unexploitable vulnerabilities being weaponized to target a huge number of potential victims.

Host Header Attacks

The second type of attacks discussed in this module are Host Header Attacks. The HTTP host header contains the host of the accessed domain and is used to tell the server which domain a user wants to access. This is required for instances where a single server serves multiple domains or subdomains so that the server can identify the targeted application. Host header attacks exploit vulnerabilities in the handling of the host header. More specifically, if a web application uses the host header for authorization checks or to construct absolute links, an attacker may be able to manipulate the host header to bypass these checks or force the construction of malicious links.

Session Puzzling

The third and final attack covered in this module is Session Puzzling. Since HTTP is a stateless protocol, session variables are required to keep track of a wide variety of actions commonly performed in web applications, including authentication. Session puzzling is a vulnerability that results from improper handling of session variables and can lead to authentication bypasses or account takeover. In particular, session puzzling can be the result of the re-use of the same session variable in different processes, the premature population of session variables, or insecure default values for session variables.

Let's get started by discussing the first of these attacks in the next section.