Friday, April 2, 2010

Chunky Data (HTTP Headers, Part Deux)

The world of intrusion detection and analysis is constantly changing, intel comes in chunks, and the bad guys range from encryption geniuses to 14-yr old pimple-faced punks.
That all said, it is important sometimes to review the "basics." So, here is another bit of information on HTTP Header information.
Field: Transfer-Encoding ";" 1#transfer-coding
Where 1#transfer-coding is the token defining what transfer encoding is being used.
I have seen even the the best of analyst make mistakes on what "Transfer-Encoding:chunked" means, so here goes:

This type of Transfer-Encoding ("chunked") is a method of coding is used to transport HTTP messages. The RFC (link below) can be read for the full details, but the big thing that I see people getting confused about...it's those numbers that appear in the message stream:

HEADER
AAA
.......
......
.....

HEADER
BBB
......
....
..
0

Where AAA and BBB are (in HEX) giving the size of the chunked portion of the message. As in the picture below, a final chunk will (must) end with a zero.




Sometimes, when following a stream in Wireshark, these numbers will "appear" in the middle of the data like:
......
XXX
.....
0
Either way, this number is not part of the actual message. Chunked encoding does not encode the payload specifically, It is used, as the RFC states, to encode the full message.

What is the lesson here: be careful when analyzing HTTP stream data. Do not include the chunk size values as part of the actual message when you are trying to decode.