Jannis Rautenstrauch

Jannis Rautenstrauch

he/him

Web security researcher and PhD student at CISPA

Who’s Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact

Jannis Rautenstrauch, and Ben Stock
In 19th ACM Asia Conference on Computer and Communications Security, July 2024
Paper Code Slides DOI BibTeX

Abstract

HTTP is everywhere, and a consistent interpretation of the protocol’s specification is essential for interoperability and security. In 2022, after more than 30 years of evolution, the core HTTP specifications became an Internet Standard. However, apart from anecdotal evidence showing that HTTP installations violate parts of the specifications, no insights on the state of conformance of deployed HTTP systems exist. To close this knowledge gap, we systematically analyze the conformance landscape of HTTP systems with a focus on the potential security impact of rule violations.

We extracted 106 falsifiable rules from HTTP specifications and created an HTTP conformance test suite. With our test suite, we tested nine popular web servers and 9,990 live web hosts. Our results show that the risk for security issues is high as most HTTP systems break at least one rule, and more than half of all rules were broken at least once. Based on our findings, we propose improvements, such as more conformance testing and less reliance on the robustness principle and instead explicitly defining error behavior.

BibTeX

Download BibTeX or copy below:

@inproceedings{rautenstrauchWhosBreakingRules2024,
  title = {Who's {{Breaking}} the {{Rules}}? {{Studying Conformance}} to the {{HTTP Specifications}} and Its {{Security Impact}}},
  shorttitle = {Who's {{Breaking}} the {{Rules}}?},
  booktitle = {{{ACM Asia Conference}} on {{Computer}} and {{Communications Security}}},
  author = {Rautenstrauch, Jannis and Stock, Ben},
  date = {2024},
  series = {{{ASIA CCS}} '24},
  publisher = {Association for Computing Machinery},
  location = {New York, NY, USA},
  doi = {10.1145/3634737.3637678},
  abstract = {HTTP is everywhere, and a consistent interpretation of the protocol's specification is essential for interoperability and security. In 2022, after more than 30 years of evolution, the core HTTP specifications became an Internet Standard. However, apart from anecdotal evidence showing that HTTP installations violate parts of the specifications, no insights on the state of conformance of deployed HTTP systems exist. To close this knowledge gap, we systematically analyze the conformance landscape of HTTP systems with a focus on the potential security impact of rule violations.We extracted 106 falsifiable rules from HTTP specifications and created an HTTP conformance test suite. With our test suite, we tested nine popular web servers and 9,990 live web hosts. Our results show that the risk for security issues is high as most HTTP systems break at least one rule, and more than half of all rules were broken at least once. Based on our findings, we propose improvements, such as more conformance testing and less reliance on the robustness principle and instead explicitly defining error behavior.},
  isbn = {9798400704826}
}