October 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

HTTP Evasions Explained - Part 4 - Doubly Compressed Content

TL;DR

This is the fourth part in a series which will explain the evasions done by HTTP Evader. This article is about the products which successfully support deflate compression (where several products already fail) but fail if the content is compressed twice like with the following simple response:

   HTTP/1.1 200 ok
   Content-encoding: deflate
   Content-encoding: gzip
   
   content which is first compressed with deflate and then with gzip

The previous article in this series was Part 3 - Chunked Transfer and the next part is Part 5 - Gzip Compression.

Support for multiple Content-Encoding's in Browsers

While it might not make much sense to compress the content multiple times the HTTP standard allows it. Support in the browsers differs:

Chrome, Firefox and Opera support stacking of Content-Encoding's in the way defined in the standard.
Internet Explorer and Microsoft Edge don't support it and treat the content uncompressed.
Safari does not support it either but treats the content as compressed with the compression scheme given first (e.g. only deflate in the example above).

Failure to Support multiple Content-Encoding's in Firewalls

From the tested firewalls nearly all fail to handle multiple encodings properly. Most of them simply let the content pass, probably because they only decompress the content only once (similar to Safari). Thus is the same behavior which I've already described 2 years ago for open source IDS Snort, Bro and Suricata and for virustotal.

This means nearly all of the tested firewalls can be bypassed by simply using the following perfectly valid HTTP response, at least when Chrome, Firefox or Opera are used as the web browser:

   HTTP/1.1 200 ok
   Content-encoding: deflate
   Content-encoding: deflate
   
   content which is twice compressed with deflate

Some firewalls simply block any responses containing multiple compressions. This is an adequate response since the support for this (mis)feature is limited to only some browsers so one might consider the use of it an evasion attempt.

Try it for yourself

You can verify yourself if the claimed Advanced Threat Protection of your firewall can easily be bypassed with simple HTTP. If you are behind some firewall able to detect malware then all you need is a browser (Chrome, Firefox or Opera for this type of evasion) and then follow the instructions to test against the HTTP Evader tool.