Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems - Research portal of Justus Liebig University Giessen:

Conference paper

Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems

Authors list: Büttner, Andre; Nguyen, Hoai Viet; Gruschka, Nils; Lo Iacono, Luigi

Appeared in: ICT Systems Security and Privacy Protection

Editor list: Jøsang, Audun; Futcher, Lynn; Hagen, Janne

Publication year: 2021

Pages: 332-347

ISBN: 978-3-030-78119-4

eISBN: 978-3-030-78120-0

DOI Link: https://doi.org/10.1007/978-3-030-78120-0_22

Conference: 36th IFIP TC 11 International Conference on Information Security and Privacy Protection (SEC 2021)

Title of series: IFIP Advances in Information and Communication Technology

Number in series: 625

Abstract:

The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems—e.g. caches, message routers, and load balancers—on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain.
In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.

Authors/Editors

- Uni.-Prof. Dr.-Ing. Luigi Lo Iacono

Citation Styles

Harvard Citation style: Büttner, A., Nguyen, H., Gruschka, N. and Lo Iacono, L. (2021) Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems, in Jøsang, A., Futcher, L. and Hagen, J. (eds.) ICT Systems Security and Privacy Protection. Cham: Springer. pp. 332-347. https://doi.org/10.1007/978-3-030-78120-0_22

APA Citation style: Büttner, A., Nguyen, H., Gruschka, N., & Lo Iacono, L. (2021). Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems. In Jøsang, A., Futcher, L., & Hagen, J. (Eds.), ICT Systems Security and Privacy Protection. (pp. 332-347). Springer. https://doi.org/10.1007/978-3-030-78120-0_22