Re: Entity tags as an HTTP covert channel

From: Maarten Van Horenbeeck (maarten@daemon.be)
Date: Fri Jun 02 2006 - 20:19:00 EDT


Thank you Robert,

> By using randomized Byte-range's you'll also be able to fool many Web
> Application Firewalls, and IDS systems flagging on response signature
> based vulnerabilities.

My initial goal was to fool the proxy, as I expected some would merge
many different partial downloads for the same file into one 200 response
to make the logs more readable. I did not however find any proxy
application/appliance that summarized in this way. Nevertheless, it
remains a lot more covert than seeing data in the request string.

It's also quite easy to merge your data into an Apache or IIS compliant
entity tag. The only drawback you have there is that you're restricting
the bandwidth of your tunnel.

Best regards,
Maarten

-- 
Maarten Van Horenbeeck, CISSP GCIA GCIH
maarten@daemon.be - http://www.daemon.be/maarten
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT