CISPA
Browse

Who’s Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact

Download (560.86 kB)
Version 2 2024-07-25, 12:16
Version 1 2024-05-15, 10:47
conference contribution
posted on 2024-07-25, 12:16 authored by Jannis RautenstrauchJannis Rautenstrauch, Ben StockBen Stock
HTTP is everywhere, and a consistent interpretation of the protocol’s specification is essential for interoperability and security. In 2022, after more than 30 years of evolution, the core HTTP specifications became an Internet Standard. However, apart from anecdotal evidence showing that HTTP installations violate parts of the specifications, no insights on the state of conformance of deployed HTTP systems exist. To close this knowledge gap, we systematically analyze the conformance landscape of HTTP systems with a focus on the potential security impact of rule violations. We extracted 106 falsifiable rules from HTTP specifications and created an HTTP conformance test suite. With our test suite, we tested nine popular web servers and 9,990 live web hosts. Our results show that the risk for security issues is high as most HTTP systems break at least one rule, and more than half of all rules were broken at least once. Based on our findings, we propose improvements, such as more conformance testing and less reliance on the robustness principle and instead explicitly defining error behavior.

History

Primary Research Area

  • Empirical and Behavioral Security

Name of Conference

ACM ASIA Conference on Computer and Communications Security (AsiaCCS)

BibTeX

@conference{Stock:Rautenstrauch:2024, title = "Who’s Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact", author = "Stock, Ben" AND "Rautenstrauch, Jannis", year = 2024, month = 7 }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC