[erlang-questions] Cowboy header parsing termination?
Roberto Ostinelli
roberto@REDACTED
Tue Feb 23 17:58:53 CET 2016
Thank you Fred,
This is helpful feedback.
The only reason that I was thinking it might be some kind of attack it's
because this happened within an hour on three different machines (different
environments - dev/staging/prod).
Best,
r.
On Mon, Feb 22, 2016 at 2:57 PM, Fred Hebert <mononcqc@REDACTED> wrote:
> On 02/22, Roberto Ostinelli wrote:
>
>> Dear list,
>> I keep on seeing the following in the logs:
>>
>> Ranch listener nucleo_listener terminated with reason: no case clause
>> matching 123 in cowboy_protocol:parse_hd_name_ws/8 line 276
>>
>> (code is here:
>>
>> https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276
>> )
>>
>> Anyone using cowboy sees the same thing? I'm wondering if this is some
>> kind
>> of targeted attack on cowboy parsing.
>>
>>
> 123 is the ASCII code for '{'. What you see here is a header fabricated to
> look maybe a bit like this:
>
> My-Header-Name {whatever goes in here}
>
> This is not valid content. When cowboy sees the space after the header
> name, it expects to see more space or a colon, possibly because the header
> should look like:
>
> My-Header-Name : {whatever goes in here}
>
> But that colon is missing and all you get is that bracket right there.
>
> It would be easy to expect it to just be garbage over the line or
> incomplete stuff than a direct attack on cowboy itself aas far as I can
> tell. There's not too much to be found by just sending requests that end
> early like that, unless someone is doing some form of fuzzing, in which
> case you should find a lot more varied error logs along with this.
>
> The trick would be to look at the content that was sent over the line
> before and after that point. One possibility could be that some proxy or
> intermediary (I don't think cowboy itself is sensitive to that) could be
> hit by request smuggling:
> http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
>
> But only contextual information could help reveal that.
>
> Regards,
> Fred.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160223/04f807b4/attachment.htm>
More information about the erlang-questions
mailing list