"The question is not whether we will be extremists, but what kind of extremists we will be. . . The nation and the world are in dire need of creative extremists." -- Martin Luther King Jr.
HTTP Response Splitting is a fairly new type of Web App security vulnerability. The idea behind it is, you find a website that takes user submitted data, and writes it to the HTTP header. An example of this is a Location: redirect. Heres the PHP code that takes a website, and redirects you to it.
The server will respond with a 200 Found response and show you the requested document, Google.com. Hopefully you noticed whats at the end of each line.
\r\n
Which is also represented as:
CR LF and,
%0d %0a
So, you should know how to fake headers. Basically, if you inject a CR LF in the header, you can inject your own and you have your attack. Now, what can be accomplished with this? Well, you can re-write the page. Allowing for XSS, HTML Injection, and you can even tell the browser to cache your 'defaced' page by setting either,
Last-Modified:
Cache-Control: or,
Pragma
To a date ahead of the current.
So, lets inject our own headers to rewrite the page and tell the browser to cache it.
HTTP/1.1 302 Found Normal header here
Date: Tue, 02 Oct 2007 1:40:00 GMT\r\n
Server: Apache/0.0.0 (Windows) PHP/0.0.0
Location:
Content-Type: text/html
HTTP/1.1 200 OK Our response has been injected here
Content-Type: text/html
<html><h1>Defaced!</h1></html> Our above code gets shown as the redirected page
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
As you can see in the example above, the server runs the normal 302 response, then, our injected code gets placed instead of the redirect which will cause it to show on the page. Allowing for the payload of our choice. And as a bonus, it gets cached until the 5'th of October ;)
So up until that day, providing they don't clear their cache, they will see the defaced page.
Now, to protect yourself against this attack, be sure to sanitize input against:
CR LF
\r\n and,
%0d%0a
And any other forms of encoding for these characters before parsing them to the HTTP Headers.
Hope that explains it... ;)
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 13 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.