-1

I always see "false positives" or "false negatives" in HTTP request smuggling forum posts. What does it mean?

Example: HTTP Desync Attacks: Request Smuggling Reborn

Peter Mortensen
  • 877
  • 5
  • 10
eyal
  • 73
  • 1
  • 3
  • 2
    These phrases are not really specific to information security. A false positive means simply that the result looks positive (like: antivirus claims to detect a virus) but it is actually not a real positive (antivirus __wrongly__ detected a virus) - thus a false positive. And this can also happen with vulnerability scanners (claims to be vulnerable, but is not) etc. A false negative is similar - something which is actually positive (i.e. is a virus) is not detected as such. – Steffen Ullrich Feb 07 '21 at 12:35
  • This question is lacking any evidence of research. Have you googled the terms? – schroeder Feb 08 '21 at 23:43

2 Answers2

2

These are terms used a lot in different areas, antivirus software (AV), IDS, and vulnerability scanning. These are ways to say if a detection came out wrong or right and in what way. The terms are universal, so it always goes like this:

A true positive is when things are working out the way it should be. The results are accurate no mistakes.

A false positive is when it detects something that is not there. It's basically the scanner mistaking something legitimate or nothing to be worry about for something bad. A lot can be annoying.

Example:

  1. You scan a system with an AV and it detects your email client as malware. Is it? No, but it's a mistake. (Although the example used AV, the concept is the same.)

  2. Your spam filter detects that important business message as spam.

A false negative is when it detects nothing when something is there. These are more dangerous as it means things are slipping past the scans.

Example:

1 You really have a malware email client, but the AV failed to recognize that.

  1. The spam filter keeps letting those annoying emails in when obviously it's spam.
Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37
0

  • False positive:

    You send requests with malformed Content-Length and Transfer-Encoding headers. When one of these responses times out, it flags it as HTTP request smuggling.

  • False negative:

    When HTTP request smuggling exists, but a web application firewall (WAF) or anything else blocks it.

Peter Mortensen
  • 877
  • 5
  • 10
Mesky
  • 55
  • 2