Project

General

Profile

Actions

Feature #6424

open

HTTP/2 - http.host behavior when both :authority pseudo header and host header are present

Added by Brandon Murphy about 1 year ago. Updated 7 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Consider the following rules and attached pcap.

The attached pcap contains the following HTTP/2 Header Frame which contains an :authority and host header.

Stream: HEADERS, Stream ID: 1, Length 53, GET /
    Length: 53
    Type: HEADERS (1)
    Flags: 0x05, End Headers, End Stream
    0... .... .... .... .... .... .... .... = Reserved: 0x0
    .000 0000 0000 0000 0000 0000 0000 0001 = Stream Identifier: 1
    [Pad Length: 0]
    Header Block Fragment: 828441882f91d35d055c87a78790518496c5b0ed5387497ca589d34d1f7a8fdc41d7e94c…
    [Header Length: 224]
    [Header Count: 9]
    Header: :method: GET
    Header: :path: /
    Header: :authority: example.com
    Header: :scheme: https
    Header: accept-encoding: gzip, deflate
    Header: accept-language: fr-FR
    Header: accept: text/html
    Header: user-agent: Scapy HTTP/2 Module
    Header: host: foo.com

Rules

alert http any any -> any any (msg:"test - authority and host in header names"; http.header_names; content:"|0d 0a 3a|authority|0d 0a|"; content:"|0d 0a|host|0d 0a|"; nocase; sid:1;)
alert http any any -> any any (msg:"test - example.com"; http.host; content:"example.com"; sid:2;)
alert http any any -> any any (msg:"test - foo.com"; http.host; content:"foo.com"; sid:3;)

Only sid:1 and sid:2 fire indicating that only the :authority pseudo header is being used to form the buffer for http.host

RFC 9110 (HTTP Semantics) - https://www.rfc-editor.org/rfc/rfc9110#name-host-and-authority states:

A user agent MUST generate a Host header field in a request unless it sends that information as an ":authority" pseudo-header field.

RFC 9113 (HTTP/2) states

The recipient of an HTTP/2 request MUST NOT use the Host header field to determine the target URI if ":authority" is present.

Clients MUST NOT generate a request with a Host header field that differs from the ":authority" pseudo-header field. A server SHOULD treat a request as malformed if it contains a Host header field that identifies an entity that differs from the entity in the ":authority" pseudo-header field

An intermediary that forwards a request over HTTP/2 MAY retain any Host header field.

These indicate that a request containing both an :authority pseudo header and a host header is perfectly valid. A common case would be where an intermediary host forwards an HTTP/1 request over HTTP/2.

Proposed Solution:

Method 1.
Support multi-buffer matching for http.host. This would allow the :authority and host header to both be parsed into http.host and allow backwards compatibility with existing rules.

Method 2.
Treat this occurance the same as when multiple occurrences of the same http header are found within http.header. This behavior is currently that values are comma and space separated as documented within http.header
https://docs.suricata.io/en/latest/rules/http-keywords.html#http-header-and-http-header-raw

Note: An additional feature request for an event to be fired when the `:authority` and `Host` header do not match will be created.


Files

authority_and_host_2.pcap (1.12 KB) authority_and_host_2.pcap Brandon Murphy, 10/27/2023 06:45 PM

Subtasks 1 (0 open1 closed)

Feature #6624: http/2: event on :authority vs Host header mismatchRejectedPhilippe AntoineActions

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #6425: HTTP/2 - new app-layer-event when `:authority` and `host` headers do not matchClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF