July 2013

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Dubious HTTP II - Unusual HTTP Content-Encodings

The Content-Encoding header is usually used to specify a compression of the content. The usual values are either gzip (RFC1952) and deflate (RFC1951). While combining these encodings does not make much sense, the HTTP standard (RFC2616) allows for other Content-Encodings and also allows to apply multiple encodings.

To determine the behavior of the browsers I tested with:

To evaluate the behavior of intermediate systems I let virustotal.com (2013/7/1) check some URLs with unusual content-encodings. I also looked at the source code of common IDS:

To reproduce the results you might point your browser to my test site or set up your own using my test suite.

Supported Encodings

Interpretation of Content-Encoding Header

Mismatch Between Specified and Real Encoding

Stacking of Multiple Content-Encodings

Behavior on Unknown Encodings

Transfer-Encoding versus Content-Encoding

Conclusion

If an attacker has full control over a web server serving malware, he can use Content-Encoding or Transfer-Encoding to easily bypass security systems.