HTTP/1.1 went through a long evolution since 1991 to 2014:
This means there is a variety of servers and clients, which might have different views on request boundaries, creating opportunities for desynchronization attacks (a.k.a. HTTP Desync).
It might seem simple to follow the latest RFC recommendations. However, for large scale systems that have been there for a while, it may come with unacceptable availability impact.
http_desync_guardian library is designed to analyze HTTP requests to prevent HTTP Desync attacks, balancing security and availability.
It classifies requests into different categories and provides recommendations on how each tier should be handled.
It can be used either for raw HTTP request headers or already parsed by an HTTP engine. Consumers may configure logging and metrics collection. Logging is rate limited and all user data is obfuscated.
If you think you might have found a security impacting issue, please follow our Security Notification Process.
The main focus of this library is HTTP/1.1. See tests for all covered cases. Predecessors of HTTP/1.1 don't support connection re-use which limits opportunities for HTTP Desync,
however some proxies may upgrade such requests to HTTP/1.1 and re-use backend connections, which may allow to craft malicious HTTP/1.0 requests.
That's why they are analyzed using the same criteria as HTTP/1.1. For other protocol versions have the following exceptions:
HTTP/0.9 requests are never considered Compliant, but are classified as Acceptable. If any of Content-Length/Transfer-Encoding is present then it's Ambiguous.HTTP/1.0 - the presence of Transfer-Encoding makes a request Ambiguous.HTTP/2+ is out of scope. But if your proxy downgrades HTTP/2 to HTTP/1.1, make sure the outgoing request is analyzed. See documentation to learn more.
This library is designed to be primarily used from HTTP engines written in C/C++.
cargo install --force cbindgencbindgen --output http_desync_guardian.h --lang c for C.cbindgen --output http_desync_guardian.h --lang c++ for C++.cargo build --release. The binaries are in ./target/release/libhttp_desync_guardian.* files.Learn more: generic and Nginx examples.
```c
/* * httpenginerequestt - already parsed by the HTTP engine */ static int checkrequest(httpenginerequestt *req) { httpdesyncguardianrequestt guardianrequest = constructhttpdesyncguardianfrom(req); httpdesyncguardianverdictt verdict = {0};
http_desync_guardian_analyze_request(&guardian_request, &verdict);
switch (verdict.tier) {
case REQUEST_SAFETY_TIER_COMPLIANT:
// The request is good. green light
break;
case REQUEST_SAFETY_TIER_ACCEPTABLE:
// Reject, if mode == STRICTEST
// Otherwise, OK
break;
case REQUEST_SAFETY_TIER_AMBIGUOUS:
// The request is ambiguous.
// Reject, if mode == STRICTEST
// Otherwise send it, but don't reuse both FE/BE connections.
break;
case REQUEST_SAFETY_TIER_SEVERE:
// Send 400 and close the FE connection.
break;
default:
// unreachable code
abort();
}
} ```
See benchmarks as an example of usage from Rust.
If you discover a potential security issue in http_desync_gardian we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.