Page 3 of 3

Posted: Wed Nov 09, 2005 5:02 am
by n00b Saibot
shiflett wrote:The attack really is called HTTP Response Splitting, although some other names floating around are HTTP Header Injection, HTTP Request Smuggling, and CRLF Injection (ordered from most to least popular alternatives). Sometimes, renames happen when a company wants to be credited with the discovery (e.g., hoping the new name catches on more than the original). Sometimes, it's because the original name is somewhat misleading. Regardless, these efforts really just confuse the whole discipline of web application security. I try to use the original names whenever possible.
But, the PDF which is referred to in webappsec.org, whitedust.org and nearly everywhere and which I take it to the first piece of work on this issue calls it HTTP Request Smuggling... :?

Posted: Wed Nov 09, 2005 7:11 am
by s.dot
If I even tried to understand half of what you guys are taking about, I'd drive myself insane. I understand that I will never be truly 100% secure, but reading about something and knowing it exists as a potential threat, and not doing anything about it, bugs the crap out of me!

Now, thanks to this topic, I'm going to be spending my next hour googling. :)

Posted: Wed Nov 09, 2005 7:17 am
by n00b Saibot
scrotaye wrote:If I even tried to understand half of what you guys are taking about, I'd drive myself insane. I understand that I will never be truly 100% secure, but reading about something and knowing it exists as a potential threat, and not doing anything about it, bugs the crap out of me!

Now, thanks to this topic, I'm going to be spending my next hour googling. :)
good for you :)

Posted: Wed Nov 09, 2005 7:28 am
by Maugrim_The_Reaper
It's not too hard to follow really - just stay current with the security issues. I suppose you could stalk Chris if you really want to stay up to date. That might be a bit weird though, so his blog is probably a safer bet...;) He also has a mountain (well, a sizeable hill) of free articles posted over on http://shiflett.org/articles . They're excellent first references since they're not overdone.
Glad you liked it. :-)
It's great to see articles a 5 year old could understand - the simplicity stands you in good stead. ;)

Posted: Wed Nov 09, 2005 9:24 am
by shiflett
n00b Saibot wrote:But, the PDF which is referred to in webappsec.org, whitedust.org and nearly everywhere and which I take it to the first piece of work on this issue calls it HTTP Request Smuggling.
I can't get to the original PDF anymore, because my requests for sanctuminc.com are redirected to watchfire.com. Are you sure about that? As for why you might see a different name elsewhere, I mentioned a few reasons for this:
shiflett wrote:Sometimes, renames happen when a company wants to be credited with the discovery (e.g., hoping the new name catches on more than the original). Sometimes, it's because the original name is somewhat misleading.
I've never heard of whitedust.org (I can't connect to that domain either), so I can't presume to guess their intentions. I should also add a third possibility - sometimes people independently discover an exploit and don't realize that it has already been discovered.
Maugrim_The_Reaper wrote:It's great to see articles a 5 year old could understand - the simplicity stands you in good stead.
Glad to hear it. :-)

One of the reviews for my book made me question whether it would be better to elaborate more, since the review is overall complimentary but describes the book as being a little too advanced for beginners. I usually feel successful when people are completely unimpressed and come away thinking the thing I've described is easy.

Shameless plug:

http://www.amazon.com/exec/obidos/ASIN/ ... hiflett-20

The review I'm referring to is by John A. Suda.

Posted: Thu Nov 10, 2005 1:16 am
by n00b Saibot
shiflett wrote:I can't get to the original PDF anymore, because my requests for sanctuminc.com are redirected to watchfire.com. Are you sure about that?
I have saved the original PDF :) and yeah! I am sure about that! I read that long time ago...
shiflett wrote:I've never heard of whitedust.org (I can't connect to that domain either), so I can't presume to guess their intentions.
I have posted the link to its article on this topic in my previous post [page 2] and sorry that's whitedust.net.
shiflett wrote:I should also add a third possibility - sometimes people independently discover an exploit and don't realize that it has already been discovered.
Hmmm... there could be a possibility...