1

I've discovered a domain name (web site and API) which adds a header like this to each HTTP response:

    XTVOpalL: Gtm; path=/; Max-Age=900

The header name looks random. Here are few other examples:

    XRQOJalT: LtZ; path=/; Max-Age=900
    XYjOzalA: Ntx; path=/; Max-Age=900
    XykOMalm: ytD; path=/; Max-Age=900

Note the leading 4 spaces. And compare to other response headers:

HTTP/1.1 301 Moved Permanently
Date: Sat, 05 May 2018 11:52:25 GMT
Server: Apache
Location: http://example.com/wp/
Content-Length: 229
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: visid_incap_993094=GuEL85vzTDKQUJ9jfphhgvma7VoAAAAAQUIPAAAAAACgWz3NlkG3smvkXeB6Ewyl; expires=Sun, 05 May 2019 08:21:45 GMT; path=/; Domain=.example.com
Set-Cookie: nlbi_993094=z0NWEcMl0wAVBr8CiwzebQAAAACu2KRRlrUCoWpyWKTrUAJF; path=/; Domain=.example.com
Set-Cookie: incap_ses_115_993094=/xoUXc5Kags3fAFBHpCYAfma7VoAAAAABT/i1XAh1J4D/02wGnXO9w==; path=/; Domain=.example.com
Set-Cookie: ___utmvmicuVtwf=peInjtBXhca; path=/; Max-Age=900
Set-Cookie: ___utmvaicuVtwf=wYxmyOU; path=/; Max-Age=900
Set-Cookie: ___utmvbicuVtwf=TZr
    XYjOzalA: Ntx; path=/; Max-Age=900
X-Iinfo: 13-63374213-63374214 NNNN CT(222 -1 0) RT(1525521145044 0) q(0 0 2 0) r(5 5) U11
X-CDN: Incapsula

Main problem - this header sometimes is the first header in the response. Which, in turn, is considered a vulnerability.

In my case it looks like this:

HTTP/1.1 301 Moved Permanently
    XYjOzalA: Ntx; path=/; Max-Age=900
Date: Sat, 05 May 2018 11:52:25 GMT
Server: Apache
Location: http://example.com/wp/
...

Quoting the RFC of HTTP 1.1 https://www.rfc-editor.org/rfc/rfc7230#section-3

A sender MUST NOT send whitespace between the start-line and the first header field. ...

The presence of such whitespace in a request might be an attempt to trick a server into ignoring that field or processing the line after it as a new request, either of which might result in a security vulnerability if other implementations within the request chain interpret the same message differently. Likewise, the presence of such whitespace in a response might be ignored by some clients or cause others to cease parsing.

This results in node.js throwing error trying to parse these HTTP responses. Error code is HPE_INVALID_HEADER_TOKEN, which is thrown only if HTTP headers are malformed.

Question: What is it? Who's doing it? Why?

Community
  • 1
  • 1
Vasyl Boroviak
  • 5,959
  • 5
  • 51
  • 70
  • Can you share the URL of that web site or API? – shaochuancs Jul 10 '19 at 23:52
  • @shaochuancs I can't share mine, but can share two other examples I found in the wild: https://tradebeam.com.websiteoutlook.com/ and https://asgaur.com.websiteoutlook.com/ – Vasyl Boroviak Jul 11 '19 at 00:11
  • @shaochuancs note that my website have this random header as the first header in the response. The two examples I gave have the header somewhere in the middle of the list. – Vasyl Boroviak Jul 11 '19 at 00:12

1 Answers1

2

"What is it?"

This is a bug in server side, as it violates HTTP protocol.

Actually, it was discussed in HTTP working group in 2013 for "a bug into python library", and I think the conclusion by Julian Reschke is correct:

It's not a legal field name, thus not a legal start of a header field line.

...

It's forbidden by the grammar, so it's invalid.

"Who's doing it? Why?"

When developer generate the random HTTP header name, he/she introduces this 4-whitespace leading characters, by accident.

Community
  • 1
  • 1
shaochuancs
  • 15,342
  • 3
  • 54
  • 62
  • Developers of the API checked everything they could (code, nginx, WAF, etc). They are not adding these headers. At least intentionally. So, I would have to disagree that the answer to the "Who?" question is "developer generate". – Vasyl Boroviak Jul 12 '19 at 02:51