Explanation on the 502 Error to Delta and Sun Sites

By /

Information from Jim Harrison regarding the problems with connecting to the Delta, Sun and other sites that generated the 502 error:

Disabling filters may not help with www.delta.com, www.sun.com or any
site that causes ISA 2004 SP2 to generate the following message:

Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)

The reason for the behavior you’re seeing is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling.A The process for this attack is a bit involved but the short story is that HRS depends on sending response headers that include both “Content-length:” and “transfer-encoding: chunked”.A

A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx

RFC-2616 defines those two headers for the purpose of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response.

If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body.A

This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can’t be quantitatively validated until the transfer is completed.A In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses out-of-hand.A Since RFC-2616 clearly states “don’t combine those headers” and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.A

As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.

PSS will have a public fix available shortly.
Jim

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top