Miscellaneous attacks exploit vulnerable web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential.
| Attack type | Attack description |
|---|---|
| HTTP Response Smuggling | Allows an unauthenticated,
remote attacker to
send multiple HTTP requests designed to cause two targeted entities
to receive different requests. This attack can be used to send a malicious request to one entity while the other is unaware to complete cross-site scripting attacks, web cache poisoning attacks, or bypass web application firewall protection. Many web servers, firewalls, and proxy servers are susceptible to this attack, however the affect of the attack is determined by the parsing methods of the specific product that is being attacked. |
| HTTP Response Splitting | Allows an attacker
to send a single HTTP request
that forces the web server to form an output stream, which is then
interpreted by the target as two HTTP responses instead of one response. This attack can be used to complete cross-site scripting attacks, cross-user defacement, web cache poisoning attacks, and similar exploits. |
| JSON Hijacking | Allows malicious websites to intercept confidential
data delivered in JSON format. This attack takes advantage of web browsers that allow scripts to override the core language's object setter routines. These routines use malicious JavaScript to insert logic that allows it to monitor JSON messages that are returned from a server. |
| Signature name | Description | More information |
|---|---|---|
| HTTP_Acunetix_WVS_Scan | Searches for scans by the Acunetix Web Vulnerability Scanner. | IBM® X-Force®: HTTP Acunetix WVS scan detected |
| HTTP_Alternates_Corrupt | Detects an Alternates header in an HTTP response that uses unbalanced curly braces, which indicate an HTTP response splitting attack, cross-site scripting, or web cache poisoning. | IBM X-Force: Apache HTTP Server mod_negotiation HTTP response splitting |
| HTTP_Connect_Proxy_Bypass_SMTP | Checks for an HTTP CONNECT command that attempts
to connect to port 25. Known false positives: This signature should never trigger on external/public
facing networks, but it might trigger on internal networks where users
are expected to use HTTP proxies to send SMTP traffic. However, such
configurations are exceedingly rare.
|
IBM X-Force: HTTP server CONNECT method used to bypass filtering |
| HTTP_Content_Length_Invalid | Detects a non-numeric HTTP Content-Length parameter. Note: This
signature does not necessarily indicate that there is an attack on
the network, but might indicate an IDS evasion attempt, DNS cache
poisoning attack, or other possible malicious activity.
|
N/A |
| HTTP_CRLF_Injection_Response_Splitting | Detects malicious HTTP requests that might indicate
an attacker's attempt at exploiting CRLF injection attacks, which
might result in HTTP response splitting. These attacks can be used to create localized defacements, cache poisoning, cross-site scripting, or phishing. |
IBM X-Force: HTTP CRLF injection detected |
| HTTP_Field_With_Binary | Detects HTTP requests with fields larger than
100 bytes and contain more than 5 bytes of binary (non-ASCII) data. You can use the advanced tuning parameter pam.http.binary.fieldlength to change the minimum field size from its default of 100. You can use the advanced tuning parameter pam.http.binary.count to change the minimum number of binary bytes that must be present from its default of 5. pam.http.binary.count:
Controls the threshold of the HTTP_Field_With_Binary signature. pam.http.binary.fieldlength:
Controls the threshold of the HTTP_Field_With_Binary signature. |
IBM X-Force: HTTP field contains binary characters |
| HTTP_Fields_With_Binary | Detects HTTP requests for multiple fields of
any size that contains any binary (non-ASCII) data. Detection algorithm
values are configurable through psom settings: maxHttpBinaryFields,
max field count for fields with binary data by using a default of
3. pam.http.binary.fieldcount:
Specifies the number of fields in an HTTP request that might contain
binary data before PAM considers it to be unusual and triggers HTTP_Fields_With_Binary. |
IBM X-Force: HTTP requests with multiple fields containing binary data |
| HTTP_Proxy_Cache_Poisoning | Detects HTTP server responses that can corrupt
the caches of HTTP proxy servers. Microsoft Internet Security and Acceleration (ISA) and Microsoft Small Business Server could allow a remote attacker to perform cache poisoning, caused by improper handling of HTTP headers. By sending multiple
content-length headers along with specially crafted requests, a remote
attacker might poison the vulnerable server's cache. A remote attacker
can exploit this vulnerability to bypass policy restrictions or redirect
users to unexpected content.
Note: For a remote attacker to exploit
this vulnerability, the server must have multiple websites published.
Cache poisoning is limited to the IP address or domain name of the
target server.
|
IBM X-Force: Microsoft ISA Server HTTP header cache poisoningCVE-2005-1215 |
| HTTP_RPC_Connect | Detects an RPC request that is tunneled over
HTTP. While this signature does not indicate an attack on your network,
it does indicate traffic that might be considered suspicious in some
network and service configurations. Known false positives: This event can fire
any time that the algorithm conditions are met. However, make sure
that the connections are coming from trusted hosts.
|
IBM X-Force: RPC request tunneled over HTTP has been detected |
| HTTP_Unknown_Protocol | Detects a three-way handshake on port 80, followed
by a non-HTTP compliant request, followed by a non-HTTP compliant
response. Known false negatives: If a
tunneling application uses valid HTTP protocol to deliver content
(for example, by using the POST method), then this signature does
not trigger.
|
IBM X-Force: HTTP unknown protocol |
| HTTP_URLscan | Detects URL requests that are used by certain vulnerability scanners that an attacker might use to scan your network for vulnerabilities. | IBM X-Force: HTTP URL scan |
| HTTPS_Apache_ClearText_DoS | Detects an unencrypted HTTP request on port 443 that might cause the Apache web server to stop responding or return a response that is not valid. | IBM X-Force: Apache mod_ssl custom error message denial of service |
| JSON_Hijacking | Detects an attempt to redefine the global Array()
or Object() constructors in JavaScript.
This technique typically indicates an attempt to intercept private
JSON-encoded information from the user's session with another website. Known false positives: Rarely, non-malicious
web developers write non-portable JavaScript that
overrides the Array or Object constructors in a way that is difficult
to distinguish from exploit code.
|
IBM X-Force: Multiple vendor JavaScript Object Notation information disclosure |