Keran Mu, Tsinghua University; Jianjun Chen, Jianwei Zhuge, Qi Li, and Haixin Duan, Tsinghua University; Zhongguancun Laboratory; Nick Feamster, University of Chicago
HTTP Desync is a high-risk threat in today's decentralized Internet, stemming from discrepancies among HTTP implementations. Current automatic detection tools, primarily dictionary-based scanners and black-box fuzzers, lack insights into internal states of implementations, leading to ineffective testing. Moreover, they focus on the request-side Desync, overlooking vulnerabilities in HTTP responses.
In this paper, we present HDHunter, a novel automatic HTTP discrepancy detection framework using the gray-box coverage-directed differential testing technique. HDHunter can discover discrepancies in not only HTTP requests but also HTTP responses and CGI responses. We evaluated our HDHunter prototype against 19 state-of-the-art HTTP implementations and identified 17 new HTTP Desync vulnerabilities. We have disclosed all identified vulnerabilities to corresponding vendors and received acknowledgments and bug bounty rewards, including 9 CVEs from well-known HTTP software, including Apache, Tomcat, Squid, etc.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
