October 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

HTTP Evasions Explained - Part 7 - Lucky Numbers

TL;DR

This is part seven in a series which will explain the evasions done by HTTP Evader. This part will be about using the wrong or even invalid status codes to evade the analysis. For 30% of the firewalls in the tests reports I've got it is enough to use a status code of 100 instead of 200 to bypass analysis and at least Chrome, IE and Edge will download the data even with this wrong status code:

   HTTP/1.1 100 ok
   Content-type: application/octet-stream
   
   malware

The previous article in this series was Part 6 - Attack of the White-Space and the next part is Part 8 - Borderline Robustness.

What is the status code

Similar to older protocols like SMTP (mail), NNTP (news) or FTP (file transfer) HTTP has the concept of 3-digit status codes which can by roughly classified as follows (see Wikipedia for more details):

From this classification it is obvious that only the 2xx responses should contain any data which are fully displayed inside the browser or which can be downloaded. Every other kind of response should either contain additional data which will be used by the browser to access the resource (like redirections, authorization requests or protocol upgrades) or these will be error messages which should better only be displayed in a restricted way and not be downloaded.

For example a typical successful response will be

   HTTP/1.1 200 ok
   Content-type: text/html
   
   <!doctype html><html> ....

While a typical redirect will look like this

   HTTP/1.1 302 redirect
   Location: http://www.example.org/see-elsewhere
   
   ... unimportant data not displayed by todays browsers ...

Lucky Numbers to bypass analysis

Several firewalls assume that only the 2xx responses will contain relevant data and will not analyze responses which contain other status codes. But, depending on the browser and status code the malware will be successfully downloaded as long as the status code is used in unusual conditions. The following are some status codes which can be used to bypass analysis in several firewalls:

Thus the following response will cause Safari and IE to download the malware and will bypass the analysis in about 30% of the analyzed firewalls:

   HTTP/1.1 502 something bad
   Content-type: application/octet-stream
   
   malware

Behavior with invalid status codes

Apart from these valid status codes which are just used in unexpected conditions, the analysis can also be bypassed using several invalid codes because the browsers are robust enough to interpret the junk in some meaningful way. Typical examples are:

Thus the following response will cause Chrome, Firefox, IE and Edge to download the malware and will bypass the analysis in about 20% of the analyzed firewalls:

   HTTP/1.1 0200 invalid
   Content-type: application/octet-stream
   
   malware

There is more

These are just some examples how the unexpected behavior of browsers can be used to bypass the analysis in firewalls. If you are interested to look into more detail at these browser quirks or want to see how the firewall at your site deals with these problems you can find out yourself at the the HTTP Evader test site. Or maybe you want to know more about HTTP Evader and read about other bypasses.