Application Layer Covert Channel Analysis and ... - Bill Buchanan

Z. Kwecka, BSc (Hons) Network Computing, 2006 72much more data than one bit per message. Communicating parties could agree thatany characters transmitted between name of the method (GET, POST or etc.) and thespace character (SP) are part of the covert payload. The remote party would, however,need to remove those characters from HTTP stream before interpreting the message ortransmitting it downwards.Request-Line with covert channel =Method[ ASCII encoded payload ]SPRequest-URISPHTTP-VersionCRLFRequest-Line does not have a limit of size specified and any number of ASCIIcharacters could by encoded into it in this manner. Still analyzing statistical datacollected on request messages proves that this technique is possibly very easy todetect as the set of currently used methods is practically limited to GET and POST(they are the most common ones in use).Another interesting fact about a start-line of a request message is the fact that hostpart of the URI specified in this line must be ignored if “Host” header is containedwithin this request. This is jet another redundancy in the RFC 2616 specification,which can cause security holes in a system allowing HTTP transfers. We can imaginefollowing scenario. A client sends a message with URI in the request-line set to“http://COVERTCHANNEL/some_existing_document” and “Host” header withvalue set to “some_host”. Any Proxy or the receiving server would treat this requestas valid, but a recipient of the covert payload could also easily extract ASCII encodedpayload.Request-message with a covert channel =GET SP [“http://” ASCII payload] Resource_locator SP HTTP-Version CRLFHost: SP remote_host_DNS_name CRLFCRLFYet again the amount of the payload here would be virtually unlimited as the requestlinehas no size constrains.Response messageAccording to the specification HTTP response-message should consist of a statusline,followed by message header, compulsory empty line and optional message body.A status-line is made up from HTTP version, numeric status code of the response andits associated textual phrase, where each element separated by SP characters.Status-line = HTTP_Version SP Status-Code SP Reason-Phrase CRLFSince every element of the HTTP code have been designed in a way that bothmachines and people can understand its syntax without greater difficulty, the statuslineconsists of status code intended for machine interpretation and a human readableReason-Phase. The status codes are defined as 3-digit integers and there are fivegeneral groups of status codes, otherwise called classes of response, categorized bythe first digit of the code (Fielding, et al, 1999, pp. 40)- 1xx: Informational – Request received, continuing process