HTTP Desync attacks, and starting a new role
Happy Friday, everyone! I hope your week is ending on a high note and you have some good (socially distant) weekend plans.
This is the first time I’ve sent out this newsletter in over a year. I’m rebooting it. I'm going to be sending out interesting news, articles, tips, and rants every two weeks on Fridays. I'm also going to pose questions that I'm thinking about — feel free to ignore these or write as much or little as you like!
Something I heard about recently that blew my mind is the HTTP Desync attack. This attack is a pretty big deal. On vulnerable applications, executing this attack means you can change the next request that the server processes. This Medium article by Emile Fugulin has a much better (and longer) explanation than I can give here, but the short of it is this. Some load balancers hold persistent connections to the servers behind them. And those same load balancers might also process headers differently! If you sent Transfer-Encoding and Content-Length, the load balancer and the servers might each think the request is a different size, resulting in data being left over in a buffer after the request is finished, and used for the next request!
This isn't a hypothetical. If you use Python and gunicorn in production, check your gunicorn version: it was vulnerable to this until versions 19.10 and 20.0.2. Like... check now, and upgrade it, because it won't take long - there aren't (many?) breaking changes in those versions.
So, the first question: how do you make sure your libraries are up to date? I have an ad hoc process for this and I have this feeling there has to be a better way.
Also, I started a new role at my company this week! It's an exciting chance for me to make a bigger impact across our whole engineering team, but I'm also pretty nervous. So, my second question: when you start a new role, how do you feel? And what do you do your first day/week/month to settle in?
Thanks for reading, and have a great weekend!
-ntietz