summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8565.txt
blob: c087fb8da7518049a81e936530c50aaf1de3e64a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
Independent Submission                                     E. Fokschaner
Request for Comments: 8565                                  1 April 2019
Category: Informational
ISSN: 2070-1721


                 Hypertext Jeopardy Protocol (HTJP/1.0)

Abstract

   The Hypertext Jeopardy Protocol (HTJP) inverts the request/response
   semantics of the Hypertext Transfer Protocol (HTTP).  Using
   conventional HTTP, one connects to a server, asks a question, and
   expects a correct answer.  Using HTJP, one connects to a server,
   sends an answer, and expects a correct question.  This document
   specifies the semantics of HTJP.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8565.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.







Fokschaner                    Informational                     [Page 1]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   3.  Comparison with HTTP  . . . . . . . . . . . . . . . . . . . .   3
   4.  Response and Request Semantics  . . . . . . . . . . . . . . .   4
     4.1.  Applicability of Postel's Robustness Principle  . . . . .   4
     4.2.  Identifying the Server Associated with an HTJP Response .   5
     4.3.  Temporal Considerations . . . . . . . . . . . . . . . . .   5
     4.4.  Pseudo-Valid HTJP Messages  . . . . . . . . . . . . . . .   6
     4.5.  HTTP Responses That Are Not Requestable . . . . . . . . .   6
   5.  Caches and Proxies  . . . . . . . . . . . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
     7.1.  Securing HTTP against HTJP  . . . . . . . . . . . . . . .   7
       7.1.1.  Anti-HTJP-Nonce Header  . . . . . . . . . . . . . . .   8
     7.2.  HTJPS . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Appendix A.  Hypertext Double Jeopardy Protocol . . . . . . . . .  11
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  11
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Hypertext Jeopardy Protocol (HTJP) 1.0 is a stateless
   application-level response/request protocol that functions as the
   semantic inverse of the Hypertext Transfer Protocol (HTTP) 1.1 .

   It can roughly be specified in relation to HTTP by the following
   rules:

   o  Where an HTTP client would send an HTTP request message, an HTJP
      client would send an HTTP response message.

   o  Where an HTTP server would send an HTTP response message, an HTJP
      server would send an HTTP request message.

   o  The HTTP request sent as an HTJP response should be an HTTP
      request that (if sent to the appropriate HTTP server) would elicit
      the HTTP response sent in the HTJP request.

   HTJP is compatible with the HTTP/1.1 specification, at least in
   spirit, if not in letter.






Fokschaner                    Informational                     [Page 2]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   HTJP has novel applications in all the following areas:

   o  Generative automated testing of HTTP implementations and HTTP-
      based applications.

   o  Monitoring of HTTP-based applications in production.

   o  Forensic and diagnostic reconstruction of HTTP requests from HTTP
      response logs.

   o  Discovery of first-party and third-party security vulnerabilities.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  Comparison with HTTP

   It is a little-known fact that HTTP/1.1 already defines itself to be
   its own inverse mode of operation.  Section 3.1 of RFC 7230
   [RFC7230], which describes the start line of the HTTP message format,
   states:

      In theory, a client could receive requests and a server could
      receive responses, distinguishing them by their different start-
      line formats, but, in practice, servers are implemented to only
      expect a request [...] and clients are implemented to only expect
      a response.

   It is only convention that HTTP clients send HTTP requests and that
   HTTP servers send HTTP responses.  Therefore, HTJP is just HTTP with
   some alternative conventions.  It is not a distinct protocol.
   Furthermore, since all messages in HTJP are indistinguishable from
   HTTP messages, an HTJP peer would have no way of identifying itself
   explicitly as using HTJP rather than HTTP.

   Therefore, we describe HTJP as a "pseudo-protocol" in order to
   distinguish clients, servers, and conversations that are using the
   HTTP conventions laid out in this document from those that use
   conventions that are more commonly associated with HTTP.







Fokschaner                    Informational                     [Page 3]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


4.  Response and Request Semantics

   An HTJP request MUST be an HTTP response message.  An HTJP response
   message MUST be an HTTP request message that, if issued to the
   appropriate HTTP server, would elicit the HTTP response specified by
   the HTJP request being replied to.

   As described in Section 3, HTJP is unconventional but valid HTTP, and
   so the entirety of the HTTP specification (as defined in [RFC7230],
   [RFC7231], [RFC7232], [RFC7233], [RFC7234], and [RFC7235]) MUST be
   respected when doing so is consistent with HTJP's unique semantics.

   The following example illustrates a typical message exchange for an
   HTJP request concerning the same hypothetical server from Section 2.1
   of RFC 7230 [RFC7230].

   Client request:

     HTTP/1.1 200 OK
     Date: Mon, 27 Jul 2009 12:28:53 GMT
     Server: Apache
     Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
     ETag: "34aa387-d-1568eb00"
     Accept-Ranges: bytes
     Content-Length: 51
     Vary: Accept-Encoding
     Content-Type: text/plain

     Hello World! My payload includes a trailing CRLF.

   Server response:

     GET /hello.txt HTTP/1.1
     Host: www.example.com

4.1.  Applicability of Postel's Robustness Principle

   Implementations of HTJP SHOULD respect Postel's Robustness Principle
   [IAB-PROTOCOL-MAINTENANCE].

   Applied to HTJP, Postel's Robustness Principle implies that, given
   the choice of multiple valid HTJP responses for an HTJP request, one
   SHOULD prefer a response that is more adherent to the HTTP standard
   or uses fewer HTTP features.  For example, sometimes a User-Agent
   header has no bearing on the HTTP response from an HTTP server.  On
   seeing such a response in an HTJP request, an HTJP server could
   validly respond with a practically unlimited number of permutations
   on the User-Agent header value.  However, it SHOULD prefer to respond



Fokschaner                    Informational                     [Page 4]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   with an HTTP request that has no User-Agent header whatsoever, in
   keeping with Postel's Robustness Principle.

   The same consideration applies when encountering an HTJP request for
   which there are both valid and "pseudo-valid" (Section 4.4) HTJP
   responses available.

4.2.  Identifying the Server Associated with an HTJP Response

   It may be of interest to a user of HTJP to try issuing an HTJP
   response as an HTTP request to the appropriate server.  This brings
   up the issue of correctly identifying the host to which the HTJP
   response should be sent.  Much of the time this will be able to be
   determined from the Host header field of the HTJP response.  The Host
   header is required by conformant HTTP/1.1 requests.  In the case that
   the Host header is not present (for example, if the HTJP response is
   an HTTP/1.0 request rather than HTTP/1.1), an HTJP response MAY use
   the absolute URI form in the HTTP request line, to add clarity about
   the target host if it would be validly accepted by the server.  This
   specific example is complicated by the fact that prior to HTTP/1.1 it
   was not required that implementations accept the absolute URI form.
   For this reason, it is also possible to phrase the HTJP response as
   an HTTP request to a Forward Proxy server, which would have accepted,
   indeed needed, the absolute URI request line prior to and after
   HTTP/1.1.  As a last resort, it may be possible to heuristically
   derive the target host of an HTJP response from the HTJP request; for
   example, the HTJP request may have absolute references to other HTTP
   resources that seem to come from the same host.

4.3.  Temporal Considerations

   When an HTJP response is issued, there is no guarantee that, by the
   time the response is received by an HTJP client, the HTTP server that
   is associated with said response will still reply with it.  Providing
   any guarantee about "when" an HTTP server would reply with said
   response is obviously a theoretically unsolvable problem and
   therefore outside the scope of this HTJP specification.  It is only
   required that the HTJP response be correct at some point in the range
   of the 32-bit Unix Timestamp; see "Seconds Since the Epoch"
   (Section 4.16) of Unix General Concepts [UNIX-General-Concepts].

   HTJP servers that are responding with an HTTP request for a volatile
   resource, and with high confidence in the time range at which the
   resource would be in the state described by the HTJP request, MAY add
   a Date header to the HTJP response.  This is in conformance with the
   ability for HTTP requests to carry a Date header; see Section 7.1.1.2
   of [RFC7231].




Fokschaner                    Informational                     [Page 5]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   HTJP clients can try to demand more temporal certainty by adding a
   Date header to their HTTP response, embedding criteria for the time
   of the HTTP response in the HTTP response itself.  Of course, the
   client might still only receive that exact HTTP response if it
   manages to deliver the HTTP request at the precise time of the
   previously requested Date header, and even then it is still not
   guaranteed due to HTTP caching et cetera.

4.4.  Pseudo-Valid HTJP Messages

   In the wild, HTTP clients and servers have been known to occasionally
   exchange HTTP messages that are not conformant to any HTTP
   specification.  For this reason, we will identify a class of messages
   that are, on the one hand, invalid HTTP messages, yet at the same
   time, correctly answerable HTJP requests or correct answers to an
   HTJP request, as "pseudo-valid" HTJP messages.

   Consider, for example, an HTTP server that erroneously reports a
   Content-Length header field of zero when sending an HTTP payload of
   non-zero length.  Despite this HTTP message violating the HTTP
   specification, it is possible for an HTJP server to receive such a
   message and correctly respond to it, satisfying the HTJP semantics in
   doing so.

   This applies to both HTJP requests and HTJP responses.  There may be
   times when the only valid HTJP response is an invalid HTTP request.
   When there are both valid and invalid HTTP requests that could
   satisfy the HTJP request, Postel's Robustness Principle SHOULD be
   applied, as described in Section 4.1.

4.5.  HTTP Responses That Are Not Requestable

   Given that an HTJP response MUST be an HTTP request, and that HTTP
   requests do not have a status field (such as a status code), there is
   no way for an HTJP response to signal a failure in response to an
   HTJP request, via a status code or otherwise.  The correct HTJP
   response to an HTJP request when a server cannot determine an HTTP
   request that elicits the HTTP response is to not respond at all.  The
   HTJP responder MAY close the connection; however, the HTJP requester
   MUST NOT interpret the closing of the connection as a response.  This
   can have issues when HTJP servers are hosted behind non-HTJP-aware
   HTTP proxies, as the proxy may inject a 5xx HTTP response, which
   could be misinterpreted as an HTJP response.  See more on proxies in
   Section 5.







Fokschaner                    Informational                     [Page 6]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


5.  Caches and Proxies

   Despite being valid HTTP traffic, support for caching and proxying of
   HTJP traffic is unfortunately not widespread.  It is estimated that
   currently approximately 0.0% of all HTTP-aware intermediaries
   gracefully handle HTJP traffic.  For this reason, it is currently
   RECOMMENDED that HTJP should not be deployed behind an HTTP proxying
   or caching layer.  Support will likely increase proportionally to
   HTJP's popularity in production.

6.  IANA Considerations

   In order that implementations of this specification can operate
   correctly, and in accordance with [BCP90], the following new HTTP
   header field would need to be registered in the "Message Headers"
   registry maintained at
   <https://www.iana.org/assignments/message-headers/>.  To find out the
   details of this registration, an application should send an HTJP
   request to a suitable server specifying the Anti-HTJP-Nonce value
   that the server would have supplied had the IANA registration been
   made.

     +-------------------+----------+---------------+---------------+
     | Header Field Name | Protocol | Status        | Reference     |
     +-------------------+----------+---------------+---------------+
     | Anti-HTJP-Nonce   | http     | informational | Section 7.1.1 |
     +-------------------+----------+---------------+---------------+

7.  Security Considerations

7.1.  Securing HTTP against HTJP

   An incomplete implementation of HTJP is inadvisable from a security
   perspective.  A complete implementation of HTJP may have interesting
   security features that are worthy of detailed examination.  Due to
   its semantics, the issuing of a successfully authorized HTTP response
   to an HTJP server will result in a reply containing the HTTP request
   that elicits said response, including any credentials, tokens,
   cookies, or other authorization materials that were required to
   elicit that response.











Fokschaner                    Informational                     [Page 7]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   As an example:

   Client request:

     HTTP/1.1 200 OK
     Date: Mon, 27 Jul 2009 12:28:53 GMT
     Content-Length: 61
     Content-Type: text/plain

     Some predictable information accessed using authorization.

   Server response:
   (line breaks in the Authorization header are for RFC formatting)

     GET /information.txt HTTP/1.1
     Host: authorised-usage-service.example.com
     Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
         eyJzdWIiOiJodGpwIiwibmFtZSI6IkV2ZXJ5b25lIiwiaWF0IjowfQ.
         JOL-kIObgTI0MzFfm1yVFFkIo1xf7DZGjY_oedRBZW0

   Given that we cannot prevent anyone from attempting to implement
   HTJP, it is RECOMMENDED to consider how HTJP impacts security when
   using HTTP.

   Note that it was only possible to query for the credentialed HTTP
   request because the response to the authorized request was
   predictable.  HTTP servers could mitigate this vulnerability exposed
   by HTJP by only serving a response that is at least as secret as the
   credentials themselves in response to an authorized request.

7.1.1.  Anti-HTJP-Nonce Header

   A generic solution to this problem is to use an "Anti-HTJP-Nonce"
   HTTP header in HTTP responses.  The value of an "Anti-HTJP-Nonce"
   header SHOULD be a cryptographically secure random number in any
   encoding that is valid for an HTTP header value.  The length of this
   number SHOULD be determined by the producer of the HTTP response,
   accounting for their method of random number generation and their
   threat model.

7.2.  HTJPS

   HTJP, being just HTTP, has most of the same security concerns and
   features as HTTP itself.  For example, the use of HTJP over an
   encrypted connection, such as TLS 1.3 [RFC8446], similar to HTTP
   Secure (HTTPS), is referred to as HTJP Secure (HTJPS).  However, it
   is important to note that, unlike with HTTPS, it is not expected that
   the hostname you are securely communicating with is the same hostname



Fokschaner                    Informational                     [Page 8]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   as featured in the Host headers or absolute URIs of the HTJP messages
   themselves, as HTJP messages are typically referring to other HTTP
   hosts.  This excludes the case of a server that supports both
   conventional HTTP and HTJP, where it is possible to make HTJP
   requests securely to the same host that is also the subject of the
   HTJP requests being made.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <https://www.rfc-editor.org/info/rfc7230>.

   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
              DOI 10.17487/RFC7231, June 2014,
              <https://www.rfc-editor.org/info/rfc7231>.

   [RFC7232]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Conditional Requests", RFC 7232,
              DOI 10.17487/RFC7232, June 2014,
              <https://www.rfc-editor.org/info/rfc7232>.

   [RFC7233]  Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed.,
              "Hypertext Transfer Protocol (HTTP/1.1): Range Requests",
              RFC 7233, DOI 10.17487/RFC7233, June 2014,
              <https://www.rfc-editor.org/info/rfc7233>.

   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
              RFC 7234, DOI 10.17487/RFC7234, June 2014,
              <https://www.rfc-editor.org/info/rfc7234>.

   [RFC7235]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Authentication", RFC 7235,
              DOI 10.17487/RFC7235, June 2014,
              <https://www.rfc-editor.org/info/rfc7235>.






Fokschaner                    Informational                     [Page 9]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [UNIX-General-Concepts]
              "General Concepts", Chapter 4 of "The Open Group Base
              Specifications, Issue 7", 2018 edition, IEEE
              Std 1003.1-2017, 2018, <http://pubs.opengroup.org/
              onlinepubs/9699919799/basedefs/V1_chap04.html>.

8.2.  Informative References

   [BCP90]    Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              September 2004, <https://www.rfc-editor.org/info/bcp90>.

   [IAB-PROTOCOL-MAINTENANCE]
              Thomson, M., "The Harmful Consequences of the Robustness
              Principle", Work in Progress, draft-iab-protocol-
              maintenance-02, March 2019.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.



























Fokschaner                    Informational                    [Page 10]
^L
RFC 8565             Hypertext Jeopardy Protocol 1.0        1 April 2019


Appendix A.  Hypertext Double Jeopardy Protocol

   Also worth mentioning, in case one encounters it in the wild, is the
   Hypertext Double Jeopardy Protocol (HTJ2P).  The Hypertext Double
   Jeopardy Protocol 1.0 is a stateless application-level request/
   response protocol that functions as the inverse of the Hypertext
   Jeopardy Protocol (HTJP) 1.0 .

   An HTJ2P response MUST be an HTTP response which would be issued for
   an HTTP request delivered as the HTJ2P request.  Implementations of
   HTJ2P have groundbreaking potential in the fields of HTTP caching,
   and in the implementation of HTJP.

Acknowledgements

   The author thanks Alex Trebek for his distinguished contributions to
   culture and society.  The author thanks Peter Phillips for the
   suggestion of the Anti-HTJP-Nonce header.  The author also wishes to
   thank anyone who has ever built a tool or a technology that made
   people ask "Why?".

Author's Address

   Edmund Fokschaner

   Email: edfokschaner@gmail.com

























Fokschaner                    Informational                    [Page 11]
^L