The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP/1.1 Implementations by Differential Fuzzing of Request Streams

TL;DR

The paper introduces the HTTP Garden, a tool that detects HTTP/1.1 parsing vulnerabilities in web servers by differential fuzzing of request streams, revealing over 100 bugs and aiding security research.

Contribution

It presents a novel coverage-guided differential fuzzer and interactive environment for discovering HTTP parsing discrepancies in origin servers, surpassing previous blackbox techniques.

Findings

Discovered over 100 HTTP parsing bugs in popular web servers.

Fixed 68 of the reported bugs after disclosure.

Identified 39 exploitable vulnerabilities.

Abstract

HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Previous techniques for discovering HTTP parsing discrepancies have focused on blackbox differential testing of HTTP gateway servers, despite evidence that the most significant parsing anomalies occur within origin servers. While these techniques can detect some vulnerabilities, not all parsing discrepancy-related vulnerabilities are detectable by examining a gateway server's output alone. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. It also includes a coverage-guided differential fuzzer for HTTP/1.1 origin servers that is capable of mutating all components of a request stream, paired with an interactive REPL that facilitates the automatic discovery of meaningful HTTP parsing discrepancies and the rapid development of those discrepancies into attack payloads. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports. We designate 39 of these to be exploitable. We release the HTTP Garden to the public on GitHub under a free software license to allow researchers to further explore new parser discrepancy-based attacks against HTTP/1.1 servers.