[erlang-questions] Cowboy header parsing termination?
Fred Hebert
mononcqc@REDACTED
Mon Feb 22 14:57:34 CET 2016
On 02/22, Roberto Ostinelli wrote:
>Dear list,
>I keep on seeing the following in the logs:
>
>Ranch listener nucleo_listener terminated with reason: no case clause
>matching 123 in cowboy_protocol:parse_hd_name_ws/8 line 276
>
>(code is here:
>https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276)
>
>Anyone using cowboy sees the same thing? I'm wondering if this is some kind
>of targeted attack on cowboy parsing.
>
123 is the ASCII code for '{'. What you see here is a header fabricated
to look maybe a bit like this:
My-Header-Name {whatever goes in here}
This is not valid content. When cowboy sees the space after the header
name, it expects to see more space or a colon, possibly because the
header should look like:
My-Header-Name : {whatever goes in here}
But that colon is missing and all you get is that bracket right there.
It would be easy to expect it to just be garbage over the line or
incomplete stuff than a direct attack on cowboy itself aas far as I can
tell. There's not too much to be found by just sending requests that end
early like that, unless someone is doing some form of fuzzing, in which
case you should find a lot more varied error logs along with this.
The trick would be to look at the content that was sent over the line
before and after that point. One possibility could be that some proxy or
intermediary (I don't think cowboy itself is sensitive to that) could be
hit by request smuggling:
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
But only contextual information could help reveal that.
Regards,
Fred.
More information about the erlang-questions
mailing list