Activity Processors: Method Processor: Incident - Unknown HTTP Protocol

Complexity: Medium (3.0)

Default Response: 1x = Slow Connection 2-6 seconds for 1 day & 1 Hour Clear Inputs

Cause: HTTP comes in several different versions. These are specified in each request issued by a client to the webserver. The acceptable standard versions are 0.9, 1.0, and 1.1. Any other protocol represents a nonstandard HTTP request issued by a non-standard HTTP client. Under nearly every legitimate use-case, there is no reason to either omit the protocol or to provide one that is not standard. This incident triggers whenever a user submits a request that contains an unknown protocol version. This would represent a clear violation of the HTTP protocol RFC specifications. The only time this should be acceptable behavior, is if the web application intentionally utilizes a non-standard protocol, however this should rarely, if ever, be the case.

Behavior: This incident is likely to occur whenever the attacker is attempting to create a custom attack script against the website. They can have either mistyped the protocol value, or they are intentionally using a non-standard value to prevent intended functionality by one of the devices that processes the request. For example, an attacker can try to submit a request with an invalid protocol of 11.1 in an effort to break security devices protecting the webserver. These security devices might not be able to handle non-standard protocols correctly, and as a result, can allow malicious requests to reach the backend unmodified.