14h50 - 15h30

Insula I

Hiding wookies in HTTP

HTTP is everywhere, and everyone wants to write their own HTTP server software.

So I wrote my own as well. However, it’s not very fast and it comes with an HTTP client that sends really bad requests.

My tool is a stress test for HTTP servers and reverse proxies, and I created it because I’d already found a few security holes in every HTTP agent that I’d started looking at in detail.

In other words, nodejs, , Varnish, Apache httpd, golang, FreeBSD’s httpd, nginx, and even HaProxy.

This presentation will try to explain how small flaws in HTTP parsing can be exploited for malevolent purposes; why it’s extremely difficult to correct these errors and why I think that should no longer be the case. We will look at some truly bad implementations in detail, combining them to create some significant flaws.

If you don’t know anything about HTTP, you may be able to understand, but you’ll have to put your trust in me blindly. If you do think you know something about HTTP, there’s no reason why you shouldn’t come and watch this presentation.

At the end, I’ll present the Open Source stress testing tool (HTTPWokiee), in the hope that you’ll remember it when it’s your turn to write your own bad HTTP implementation.