On Jun 13, 2013, at 12:46 AM, Brian Smith <[email protected]> wrote:
> "Circumventing Security Systems With Dubious HTTP Responses": > http://noxxi.de/research/dubious-http.html > > Does anybody see any action items here? The "Multipart MIME Responses” bit is really interesting. So if I understand correctly: 1) a server under control of an attacker can send a multipart response with multiple HTML parts 2) we ignore all parts except the *last* one (which is probably the right thing to do) 3) malware detection proxies/filters might ignore all parts except the *first* one (There is no mention of specific software that does #3 so that part is a bit vague but I could see how an attacker could abuse that.) I don’t know if this is a common technique that is used in the wild. If it is then we might want to consider changing our logic for multipart and render the *first* part received. That would close this loophole. Not sure if that would break any existing legit apps that might depend on the current multipart behaviour though. S. _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
