7.5.7. Padding Attacks with Multiple Field Values

7.5.7. Padding Attacks with Multiple Field Values

Since HTTP field values need to be combined into a single string value to be included in the HTTP signature base (see Section 2.5), it is possible for an attacker to inject an additional value for a given field and add this to the signature base of the verifier.

In most circumstances, this causes the signature validation to fail as expected, since the new signature base value will not match the one used by the signer to create the signature. However, it is theoretically possible for the attacker to inject both a garbage value into a field and a desired value into another field in order to force a particular input. This is a variation of the collision attack described in Section 7.3.1, where the attacker accomplishes their change in the message by adding to existing field values.

To counter this, an application needs to validate the content of the fields covered in the signature in addition to ensuring that the signature itself validates. With such protections, the attacker's padding attack would be rejected by the field value processor, even in the case where the attacker could force a signature collision.