HTTP Response Splitting

Posted on October 22, 2012. Filed under: SANS Dev 541 |


In normal HTTP Header, each line is terminated with the carriage return (CR, ASCII 0x0D) and line feed (LF, ASCII 0x0A), and the entire message is terminated with two consecutive carriage return line feed.

HTTP response splitting takes place when user input is used within HTTP response, and that input contains the carriage return line feed followed by the content supplied by the attacker in the Header section of its response.

HTTP response splitting can be used to perform cross site scripting attacks, web Cache poisoning and phishing. The generic solution is to URL encode strings before inclusion into HTTP headers such as location or Set-Cookie.

Normal HTTP redirect.

HTTP Response Splitting

For example:

Suppose GET the following URL

http://vitimsite.com/reports.jsp?name=onboard

will be redirected to another URL

http://vitimsite.com/onboard.jsp

A hacker can exploit the HTTP Response Splitting and launch a XSS attack.

step 1. attacker send an email to a user with the following link in the email

http://victimsite.com/reports.jsp?name=onboard%0d%0aContent-Length:  0%0d%0a%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0aContent-Length:32%0d%0a%0d%0a<html><script>alert('HTTP Response Splitting')</script></html>

step 2. since this link is from a normal site, the email passed cooperate filter and arrives in the user’s email box.

step 3. user click the link in the email.

The HTTP Response in this case would looks like:

HTTP/1.1 302 Moved Temporarily

Date: Mon, 22 October 2012 18:40:32 GMT

Location: http://victimsite.com/onboard.jsp?report=onboard

Content-Length: 0

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 32

<html><script>alert('HTTP Response Splitting')</script></html>

At this point, a malicious code is executed on the user’s browser.

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: