October 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

HTTP Evasions Explained - Part 7 - Lucky Numbers

This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports I've got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code:

HTTP/1.1 100 ok Content-type: application/octet-stream malware

The previous article in this series was Part 6 - Attack of the White-Space and the next part is Part 8 - Borderline Robustness.

What is the status code

Similar to older protocols like SMTP (mail), NNTP (news) or FTP (file transfer) HTTP has the concept of 3-digit status codes which can by roughly classified as follows (see Wikipedia for more details):

2xx - successful response

3xx - see elsewhere for the data (another URL, the cache ...)

4xx - client side problem (bad request, authorization needed, requested URL does not exist ...)

5xx - server side problem (failure in web application ...)

1xx - special responses (intermediate response, protocol upgrade ...)

From this classification it is obvious that only the 2xx responses should contain any data which are fully displayed inside the browser or which can be downloaded. Every other kind of response should either contain additional data which will be used by the browser to access the resource (like redirections, authorization requests or protocol upgrades) or these will be error messages which should better only be displayed in a restricted way and not be downloaded.

For example a typical successful response will be

HTTP/1.1 200 ok Content-type: text/html <!doctype html><html> ....

While a typical redirect will look like this

HTTP/1.1 302 redirect Location: http://www.example.org/see-elsewhere ... unimportant data not displayed by todays browsers ...

Lucky Numbers to bypass analysis

Several firewalls assume that only the 2xx responses will contain relevant data and will not analyze responses which contain other status codes. But, depending on the browser and status code the malware will be successfully downloaded as long as the status code is used in unusual conditions. The following are some status codes which can be used to bypass analysis in several firewalls:

3xx: These status code are used for redirections to another resource (except 304). Thus the response should contain a Location header which points to this resource. If the Location header is missing Safari and IE will download the content for codes 300, 305 and 308 and Safari also for some more codes.

401, 407: These codes are used when authorization is required by a web server or proxy. The response should contain a WWW-Authenticate header. If this header is missing Safari and IE will download the data.

5xx: Safari will download the data for at least code 500 and 502, while IE for code 502.

100: this code should only be used together with a POST request which contained an "Expect: 100-continue" header. But Chrome, Edge and IE will simply download the content if used outside of this context.

Thus the following response will cause Safari and IE to download the malware and will bypass the analysis in about 30% of the analyzed firewalls:

HTTP/1.1 502 something bad Content-type: application/octet-stream malware

Behavior with invalid status codes

Apart from these valid status codes which are just used in unexpected conditions, the analysis can also be bypassed using several invalid codes because the browsers are robust enough to interpret the junk in some meaningful way. Typical examples are:

"0200": This 4 digit code will lead to a successful download in all browsers except Safari.

"2", "20": These 1 or 2 digit codes will lead to a successful download with IE and Safari

"20x", "2xx": IE will happily download the data even though these 3 character codes contain non-digits. It will stay happy if the 4-digit "2000" is used.

"000": keeps Firefox happy while "600","700","800" and "900" keep Safari and IE happy.

Thus the following response will cause Chrome, Firefox, IE and Edge to download the malware and will bypass the analysis in about 20% of the analyzed firewalls:

HTTP/1.1 0200 invalid Content-type: application/octet-stream malware

There is more

These are just some examples how the unexpected behavior of browsers can be used to bypass the analysis in firewalls. If you are interested to look into more detail at these browser quirks or want to see how the firewall at your site deals with these problems you can find out yourself at the the HTTP Evader test site. Or maybe you want to know more about HTTP Evader and read about other bypasses.