[erlang-questions] Cowboy header parsing termination?

Roberto Ostinelli roberto@REDACTED
Tue Feb 23 17:58:53 CET 2016

Thank you Fred,
This is helpful feedback.

The only reason that I was thinking it might be some kind of attack it's
because this happened within an hour on three different machines (different
environments - dev/staging/prod).


On Mon, Feb 22, 2016 at 2:57 PM, Fred Hebert <mononcqc@REDACTED> wrote:

> On 02/22, Roberto Ostinelli wrote:
>> Dear list,
>> I keep on seeing the following in the logs:
>> Ranch listener nucleo_listener terminated with reason: no case clause
>> matching 123 in cowboy_protocol:parse_hd_name_ws/8 line 276
>> (code is here:
>> https://github.com/ninenines/cowboy/blob/1.0.4/src/cowboy_protocol.erl#L276
>> )
>> Anyone using cowboy sees the same thing? I'm wondering if this is some
>> kind
>> of targeted attack on cowboy parsing.
> 123 is the ASCII code for '{'. What you see here is a header fabricated to
> look maybe a bit like this:
>    My-Header-Name {whatever goes in here}
> This is not valid content. When cowboy sees the space after the header
> name, it expects to see more space or a colon, possibly because the header
> should look like:
>    My-Header-Name : {whatever goes in here}
> But that colon is missing and all you get is that bracket right there.
> It would be easy to expect it to just be garbage over the line or
> incomplete stuff than a direct attack on cowboy itself aas far as I can
> tell. There's not too much to be found by just sending requests that end
> early like that, unless someone is doing some form of fuzzing, in which
> case you should find a lot more varied error logs along with this.
> The trick would be to look at the content that was sent over the line
> before and after that point. One possibility could be that some proxy or
> intermediary (I don't think cowboy itself is sensitive to that) could be
> hit by request smuggling:
> http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
> But only contextual information could help reveal that.
> Regards,
> Fred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160223/04f807b4/attachment.htm>

More information about the erlang-questions mailing list