Miscellaneous attacks

This type of attack exploits vulnerable web servers by forcing cache servers or web browsers into disclosing user specific information that might be sensitive and confidential.

About this attack

The following attacks are the most common type of attacks for this category:
Table 1. Miscellaneous attacks
Attack type Attack description
HTTP Response Smuggling Allows an unauthenticated, remote attacker to send multiple HTTP requests designed to cause two targeted entities to receive different requests.

This attack can be used to send a malicious request to one entity while the other is unaware in order to perform cross-site scripting attacks, web cache poisoning attacks, or bypass web application firewall protection.

Many web servers, firewalls, and proxy servers are susceptible to this attack, however the impact of the attack is really determined by the parsing methods of the specific product being attacked.

HTTP Response Splitting Allows an attacker to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.

This attack can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning attacks, and similar exploits.

JSON Hijacking Allows malicious web sites to intercept confidential data delivered in JSON format.

This attack takes advantage of web browsers that allow scripts to override the core language's object setter routines. These routines use malicious JavaScript to insert logic that allows it to monitor JSON messages returned from a server.

Signatures triggered by this attack

The signatures triggered by miscellaneous attacks include:
Table 2. Miscellaneous attack signatures
Signature name Description More information
HTTP_Acunetix_WVS_Scan searches for scans by the Acunetix Web Vulnerability Scanner. IBM® X-Force®: HTTP Acunetix WVS scan detected
HTTP_Alternates_Corrupt Detects an Alternates header in an HTTP response that uses unbalanced curly braces, which indicates an HTTP response splitting attack, cross-site scripting, or web cache poisoning. IBM X-Force: Apache HTTP Server mod_negotiation HTTP response splitting


HTTP_Connect_Proxy_Bypass_SMTP Checks for a HTTP CONNECT command that attempts to connect to port 25.
Known false positives: This should never trigger on external/public facing networks, but it might trigger on internal networks where users are expected to use HTTP proxies in order to send SMTP traffic. However, such configurations are exceedingly rare.
IBM X-Force: HTTP server CONNECT method used to bypass filtering
HTTP_Content_Length_Invalid Detects a non-numeric HTTP Content-Length parameter.
Note: This does not necessarily indicate that there is an attack on the network, but could indicate an IDS evasion attempt, DNS cache poisoning attack, or other possible malicious activity.
HTTP_CRLF_Injection_Response_Splitting Detects malicious HTTP requests that might indicate an attacker's attempt at exploiting CRLF injection attacks, which could result in HTTP response splitting.

These attacks can be used to create localized defacements, cache poisoning, cross-site scripting, or phishing.

IBM X-Force: HTTP CRLF injection detected
HTTP_Field_With_Binary Detects HTTP requests with fields larger than 100 bytes and contain more than 5 bytes of binary (non-ASCII) data.

You can use the advanced tuning parameter pam.http.binary.fieldlength to change the minimum field size from its default of 100.

You can use the advanced tuning parameter pam.http.binary.count to change the minimum number of binary bytes that must be present from its default of 5.

pam.http.binary.count: Controls the threshold of the HTTP_Field_With_Binary signature.

Type= number
Default value= 20
Minimum value= 0
Maximum value= 4294967295

pam.http.binary.fieldlength: Controls the threshold of the HTTP_Field_With_Binary signature.

Type= number
Default value= 100
Minimum value= 1
Maximum value= 4294967295

IBM X-Force: HTTP field contains binary characters
HTTP_Fields_With_Binary Detects HTTP requests for multiple fields of any size that contains any binary (non-ASCII) data. Detection algorithm values are configurable through psom settings: maxHttpBinaryFields, max field count for fields with binary data using a default of 3.

pam.http.binary.fieldcount: Specifies the number of fields in an HTTP request that might contain binary data before PAM considers it to be unusual and triggers HTTP_Fields_With_Binary.

Type= number
Units= fields
Default value= 3
Minimum value= 0
Maximum value= 2147483647

IBM X-Force: HTTP requests with multiple fields containing binary data
HTTP_Proxy_Cache_Poisoning Detects HTTP server responses that can corrupt the caches of HTTP proxy servers.

Microsoft Internet Security and Acceleration (ISA) and Microsoft Small Business Server could allow a remote attacker to perform cache poisoning, caused by improper handling of HTTP headers.

By sending multiple content-length headers along with specially crafted requests, a remote attacker could poison the vulnerable server's cache. A remote attacker could exploit this vulnerability to bypass policy restrictions or redirect users to unexpected content.
Note: For a remote attacker to exploit this vulnerability, the server must have multiple web sites published. Cache poisoning is limited to the IP address or domain name of the target server.
IBM X-Force: Microsoft ISA Server HTTP header cache poisoningCVE-2005-1215
HTTP_RPC_Connect Detects an RPC request tunneled over HTTP. While this signature does not indicate an attack on your network, it does indicate traffic that might be considered suspicious in some network and service configurations.
Known false positives: This event will fire any time that the algorithm conditions are met. However, make sure the connections are coming from trusted hosts.
IBM X-Force: RPC request tunneled over HTTP has been detected
HTTP_Unknown_Protocol Detects a three-way handshake on port 80, followed by a non-HTTP compliant request, followed by a non-HTTP compliant response.
Known false negatives: If a tunnelling application uses valid HTTP protocol to deliver content (for example, by using the POST method), then this signature will not trigger.
IBM X-Force: HTTP unknown protocol
HTTP_URLscan Detects URL requests used by certain vulnerability scanners that an attacker might use to scan your network for vulnerabilities. IBM X-Force: HTTP URL scan
HTTPS_Apache_ClearText_DoS Detects an unencrypted HTTP request on port 443 that might cause the Apache web server to stop responding or return a response that is not valid. IBM X-Force: Apache mod_ssl custom error message denial of service


JSON_Hijacking Detects an attempt to redefine the global Array() or Object() constructors in JavaScript. This technique typically indicates an attempt to intercept private JSON-encoded information from the user's session with another web site.
Known false positives: Rarely, non-malicious web developers write non-portable JavaScript that overrides the Array or Object constructors in a way that is difficult to distinguish from exploit code.
IBM X-Force: Multiple vendor JavaScript Object Notation information disclosure