[Owasp-leaders] Great interview with John at Gunner's blog

John Wilander john.wilander at owasp.org
Fri Apr 5 12:50:10 UTC 2013


Eoin, you engage in an interesting discussion. Let's have a look at HTTP
and strings. :)

To scope things I suggest we look just at HTTP headers. Lots of good appsec
stuff happening there. Cookies, response splitting, custom headers etc.
What is allowed in an HTTP header? The
rfc<http://www.ietf.org/rfc/rfc2616.txt>says:

message-header = field-name ":" [ field-value ]
       field-name     = token
       field-value    = *( field-content | LWS )
       field-content  = <the OCTETs making up the field-value
                        and consisting of either *TEXT or combinations
                        of token, separators, and quoted-string>

token          = 1*<any CHAR except CTLs or separators>

CHAR           = <any US-ASCII character (octets 0 - 127)>

CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

separators     = "(" | ")" | "<" | ">" | "@"
                      | "," | ";" | ":" | "\" | <">
                      | "/" | "[" | "]" | "?" | "="
                      | "{" | "}" | SP | HT

LWS            = [CRLF] 1*( SP | HT )

CRLF            = CR LF

OCTET          = <any 8-bit sequence of data>

TEXT           = <any OCTET except CTLs,
                        but including LWS>

So, header names can consist of ASCII chars 32-126 except 19 chars called
separators.

Then there shall be a colon.

Finally the header value can consist of any ASCII chars 9, 32-126 except 19
chars called separators … or a mix of tokens, separators, and quoted
strings.

On top of this web servers such as Apache impose length constraints on
headers, somewhere around 10,000 chars.

Now, let's have a look at "strings".

Java uses Unicode strings in UTF-16 code units which handle over 100,000
characters. As far as I know C# and JavaScript does the same. The max size
of strings is often limited by the max size of integers, typically 2^31 - 1
which is just over 2 billion.

Now, how can these +100,000 character-set 2 billion character long strings
be used in an HTTP header API?

Java:
void addHeader(java.lang.String name,
               java.lang.String value)

… which in a typical implementation might look like this:

public void addHeader(String name, String value) {
  if (isCommitted())
    return;

  if (included)
    return;     // Ignore any call from an included servlet

  synchronized (headers) {
    ArrayList values = (ArrayList) headers.get(name);
    if (values == null) {
      values = new ArrayList();
      headers.put(name, values);
    }
    values.add(value);
  }
}

In the JavaDoc for addHeader() in the HttpServletReponse interface you of
course find instructions to developers:
"If it contains octet string, it should be encoded according to RFC 2047 (
http://www.ietf.org/rfc/rfc2047.txt)"

How many developers take action on that comment? How many get it right? How
many product owners agree to make the investment on their project?

This is exactly what I mean. We still believe we need plain strings. We
don't. Almost nothing is just "a string" in software engineering. There's
always lexical, syntactical, and semantical restrictions. We have to start
helping developers getting these things right.

The interface should of course have been:

void addHeader(javax.http.HeaderName name,
               javax.http.HeaderValue value)

… and the two domain classes HeaderName and HeaderValue should have been
immutables which do input validation according to the rfc in their
constructors.

Agree?

   Regards, John




2013/4/5 Eoin <eoin.keary at owasp.org>

> Don't use strings??
> That might break HTTP :)
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 5 Apr 2013, at 06:39, Dinis Cruz <dinis at ddplus.net> wrote:
>
> >
> http://1raindrop.typepad.com/1_raindrop/2013/04/security-140-conversation-with-john-wilander.html
> >
> > Lots of great ideas and focus areas for OWASP's community :)
> >
> > Dinis Cruz
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130405/3680786d/attachment.html>


More information about the OWASP-Leaders mailing list