This type of attack exploits vulnerable web servers by forcing cache servers or web browsers into disclosing user specific information that might be sensitive and confidential.
| Attack type | Attack description |
|---|---|
| HTTP Response Smuggling | Allows an unauthenticated, remote attacker to
send multiple HTTP requests designed to cause two targeted entities
to receive different requests. This attack can be used to send a malicious request to one entity while the other is unaware in order to perform cross-site scripting attacks, web cache poisoning attacks, or bypass web application firewall protection. Many web servers, firewalls, and proxy servers are susceptible to this attack, however the impact of the attack is really determined by the parsing methods of the specific product being attacked. |
| HTTP Response Splitting | Allows an attacker to send a single HTTP request
that forces the web server to form an output stream, which is then
interpreted by the target as two HTTP responses instead of one response. This attack can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning attacks, and similar exploits. |
| JSON Hijacking | Allows malicious web sites to intercept confidential
data delivered in JSON format. This attack takes advantage of web browsers that allow scripts to override the core language's object setter routines. These routines use malicious JavaScript to insert logic that allows it to monitor JSON messages returned from a server. |
| Signature name | Description | More information |
|---|---|---|
| HTTP_Acunetix_WVS_Scan | searches for scans by the Acunetix Web Vulnerability Scanner. | IBM® X-Force®: HTTP Acunetix WVS scan detected |
| HTTP_Alternates_Corrupt | Detects an Alternates header in an HTTP response that uses unbalanced curly braces, which indicates an HTTP response splitting attack, cross-site scripting, or web cache poisoning. | IBM X-Force: Apache HTTP Server mod_negotiation HTTP response splitting |
| HTTP_Connect_Proxy_Bypass_SMTP | Checks for a HTTP CONNECT command that attempts
to connect to port 25. Known false positives: This should never trigger on external/public facing networks,
but it might trigger on internal networks where users are expected
to use HTTP proxies in order to send SMTP traffic. However, such configurations
are exceedingly rare.
|
IBM X-Force: HTTP server CONNECT method used to bypass filtering |
| HTTP_Content_Length_Invalid | Detects a non-numeric HTTP Content-Length parameter. Note: This
does not necessarily indicate that there is an attack on the network,
but could indicate an IDS evasion attempt, DNS cache poisoning attack,
or other possible malicious activity.
|
N/A |
| HTTP_CRLF_Injection_Response_Splitting | Detects malicious HTTP requests that might indicate
an attacker's attempt at exploiting CRLF injection attacks, which
could result in HTTP response splitting. These attacks can be used to create localized defacements, cache poisoning, cross-site scripting, or phishing. |
IBM X-Force: HTTP CRLF injection detected |
| HTTP_Field_With_Binary | Detects HTTP requests with fields larger than
100 bytes and contain more than 5 bytes of binary (non-ASCII) data. You can use the advanced tuning parameter pam.http.binary.fieldlength to change the minimum field size from its default of 100. You can use the advanced tuning parameter pam.http.binary.count to change the minimum number of binary bytes that must be present from its default of 5. pam.http.binary.count:
Controls the threshold of the HTTP_Field_With_Binary signature. pam.http.binary.fieldlength:
Controls the threshold of the HTTP_Field_With_Binary signature. |
IBM X-Force: HTTP field contains binary characters |
| HTTP_Fields_With_Binary | Detects HTTP requests for multiple fields of
any size that contains any binary (non-ASCII) data. Detection algorithm
values are configurable through psom settings: maxHttpBinaryFields,
max field count for fields with binary data using a default of 3. pam.http.binary.fieldcount:
Specifies the number of fields in an HTTP request that might contain
binary data before PAM considers it to be unusual and triggers HTTP_Fields_With_Binary. |
IBM X-Force: HTTP requests with multiple fields containing binary data |
| HTTP_Proxy_Cache_Poisoning | Detects HTTP server responses that can corrupt
the caches of HTTP proxy servers. Microsoft Internet Security and Acceleration (ISA) and Microsoft Small Business Server could allow a remote attacker to perform cache poisoning, caused by improper handling of HTTP headers. By sending multiple
content-length headers along with specially crafted requests, a remote
attacker could poison the vulnerable server's cache. A remote attacker
could exploit this vulnerability to bypass policy restrictions or
redirect users to unexpected content.
Note: For a remote attacker
to exploit this vulnerability, the server must have multiple web sites
published. Cache poisoning is limited to the IP address or domain
name of the target server.
|
IBM X-Force: Microsoft ISA Server HTTP header cache poisoningCVE-2005-1215 |
| HTTP_RPC_Connect | Detects an RPC request tunneled over HTTP. While
this signature does not indicate an attack on your network, it does
indicate traffic that might be considered suspicious in some network
and service configurations. Known false positives: This event will fire any time that the algorithm conditions
are met. However, make sure the connections are coming from trusted
hosts.
|
IBM X-Force: RPC request tunneled over HTTP has been detected |
| HTTP_Unknown_Protocol | Detects a three-way handshake on port 80, followed
by a non-HTTP compliant request, followed by a non-HTTP compliant
response. Known false negatives: If a
tunnelling application uses valid HTTP protocol to deliver content
(for example, by using the POST method), then this signature will
not trigger.
|
IBM X-Force: HTTP unknown protocol |
| HTTP_URLscan | Detects URL requests used by certain vulnerability scanners that an attacker might use to scan your network for vulnerabilities. | IBM X-Force: HTTP URL scan |
| HTTPS_Apache_ClearText_DoS | Detects an unencrypted HTTP request on port 443 that might cause the Apache web server to stop responding or return a response that is not valid. | IBM X-Force: Apache mod_ssl custom error message denial of service |
| JSON_Hijacking | Detects an attempt to redefine the global Array()
or Object() constructors in JavaScript.
This technique typically indicates an attempt to intercept private
JSON-encoded information from the user's session with another web
site. Known false positives: Rarely,
non-malicious web developers write non-portable JavaScript that overrides the Array or
Object constructors in a way that is difficult to distinguish from
exploit code.
|
IBM X-Force: Multiple vendor JavaScript Object Notation information disclosure |