[erlang-questions] Cowboy header parsing termination?

Fred Hebert <>
Mon Feb 22 14:57:34 CET 2016


On 02/22, Roberto Ostinelli wrote:
>Dear list,
>I keep on seeing the following in the logs:
>
>Ranch listener nucleo_listener terminated with reason: no case clause
>matching 123 in cowboy_protocol:parse_hd_name_ws/8 line 276
>
>(code is here:
>https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276)
>
>Anyone using cowboy sees the same thing? I'm wondering if this is some kind
>of targeted attack on cowboy parsing.
>

123 is the ASCII code for '{'. What you see here is a header fabricated 
to look maybe a bit like this:

    My-Header-Name {whatever goes in here}

This is not valid content. When cowboy sees the space after the header 
name, it expects to see more space or a colon, possibly because the 
header should look like:

    My-Header-Name : {whatever goes in here}

But that colon is missing and all you get is that bracket right there.

It would be easy to expect it to just be garbage over the line or 
incomplete stuff than a direct attack on cowboy itself aas far as I can 
tell. There's not too much to be found by just sending requests that end 
early like that, unless someone is doing some form of fuzzing, in which 
case you should find a lot more varied error logs along with this.

The trick would be to look at the content that was sent over the line 
before and after that point. One possibility could be that some proxy or 
intermediary (I don't think cowboy itself is sensitive to that) could be 
hit by request smuggling: 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

But only contextual information could help reveal that.

Regards,
Fred.


More information about the erlang-questions mailing list