HTTP requests and Apache modules: Creative attack vectors

Posted by pinkgothic on Stack Overflow See other posts from Stack Overflow or by pinkgothic
Published on 2010-05-29T13:24:05Z Indexed on 2010/05/29 13:32 UTC
Read the original article Hit count: 498

Slightly unorthodox question here:

I'm currently trying to break an Apache with a handful of custom modules.

What spawned the testing is that Apache internally forwards requests that it considers too large (e.g. 1 MB trash) to modules hooked in appropriately, forcing them to deal with the garbage data - and lack of handling in the custom modules caused Apache in its entirety to go up in flames. Ouch, ouch, ouch.

That particular issue was fortunately fixed, but the question's arisen whether or not there may be other similar vulnerabilities.

Right now I have a tool at my disposal that lets me send a raw HTTP request to the server (or rather, raw data through an established TCP connection that could be interpreted as an HTTP request if it followed the form of one, e.g. "GET ...") and I'm trying to come up with other ideas. (TCP-level attacks like Slowloris and Nkiller2 are not my focus at the moment.)

Does anyone have a few nice ideas how to confuse the server and/or its modules to the point of self-immolation?

  • Broken UTF-8? (Though I doubt Apache cares about encoding - I imagine it just juggles raw bytes.)
  • Stuff that is only barely too long, followed by a 0-byte, followed by junk?
  • et cetera

I don't consider myself a very good tester (I'm doing this by necessity and lack of manpower; I unfortunately don't even have a more than basic grasp of Apache internals that would help me along), which is why I'm hoping for an insightful response or two or three. Maybe some of you have done some similar testing for your own projects?

(If stackoverflow is not the right place for this question, I apologise. Not sure where else to put it.)

© Stack Overflow or respective owner

Related posts about security

Related posts about apache