Please note that republishing this article in full or in part is only allowed under the conditions described here.
This is the fourth part in a series which will explain the evasions done by HTTP Evader. This article is about the products which successfully support deflate compression (where several products already fail) but fail if the content is compressed twice like with the following simple response:
HTTP/1.1 200 ok Content-encoding: deflate Content-encoding: gzip content which is first compressed with deflate and then with gzip
While it might not make much sense to compress the content multiple times the HTTP standard allows it. Support in the browsers differs:
- Chrome, Firefox and Opera support stacking of Content-Encoding's in the way defined in the standard.
- Internet Explorer and Microsoft Edge don't support it and treat the content uncompressed.
- Safari does not support it either but treats the content as compressed with the compression scheme given first (e.g. only deflate in the example above).
From the tested firewalls nearly all fail to handle multiple encodings properly. Most of them simply let the content pass, probably because they only decompress the content only once (similar to Safari). Thus is the same behavior which I've already described 2 years ago for open source IDS Snort, Bro and Suricata and for virustotal.
This means nearly all of the tested firewalls can be bypassed by simply using the following perfectly valid HTTP response, at least when Chrome, Firefox or Opera are used as the web browser:
HTTP/1.1 200 ok Content-encoding: deflate Content-encoding: deflate content which is twice compressed with deflate
Some firewalls simply block any responses containing multiple compressions. This is an adequate response since the support for this (mis)feature is limited to only some browsers so one might consider the use of it an evasion attempt.
You can verify yourself if the claimed Advanced Threat Protection of your firewall can easily be bypassed with simple HTTP. If you are behind some firewall able to detect malware then all you need is a browser (Chrome, Firefox or Opera for this type of evasion) and then follow the instructions to test against the HTTP Evader tool.