Range requests allow servers to respond with a range of bytes without sending an entire response. This can be used to send data without receiving data, which can be used for eavesdropping. An attacker can inject data into a cross-origin resource by loading a malicious JavaScript file, for example. This could then be executed on the user’s system if the user visits a website with cross-origin resource support. To be vulnerable, a website must allow Range requests.

Browsers strictly enforce referer restrictions to make sure that data from untrusted locations cannot act as an origin. Therefore, if an attacker can trick a user into loading a website with a malicious referer header, then the attacker can trick the user into sending data to the origin.

Range Requests

Are Dangerous
Range requests can be dangerous because they allow the user to send data without receiving data back. Once a website sends data to an attacker using a Range request, the attacker can then use that data for any purpose they would like. This could result in serious security concerns.

Range Requests in HTTP

Range requests in HTTP allow servers to respond with a range of bytes without sending an entire response. A malicious JavaScript file can be loaded by the client and then executed on the user’s system if the user visits a website with cross-origin resource support.
To make sure that data from untrusted locations cannot act as an origin, browsers strictly enforce referer restrictions. If a website allows Range requests, it will accept data from maliciously crafted referers and therefore be vulnerable to this attack. In order for Range requests to work, the client must send a Content-Length header or else the server will return an error code.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/03/2023 20:55:00 UTC

References