HTTP Response Splitting
As the name suggests its basic attack techniques from which user can parse malicious datas (Which include encoded request) and application serves the request in the form of responding to it by one additional response header.
This attack technique is also popular by CRLF(Carriage return/Line feed) Attack as it uses CR(%0d) and Line feed(%0a) to get carried out.
Explanation using OWASP WebGoat Project: –
Lets say we have a search section in our app: –
Consider we have this following JSP page which redirects the requests with some POST parameters to the server : –
<% response.sendRedirect(request.getContextPath() + “/attack?” +
“Screen=” + request.getParameter(“Screen”) +
“&menu=” + request.getParameter(“menu”) +
“&fromRedirect=yes&language=” + request.getParameter(“language”));
-Lets say we posted a test data say : – “test”
Observation : –
It uses GET request to show send the datas.
In this case it serves the request by sending one response header: –
|Date||Fri, 16 Aug 2013 10:06:13 GMT|
Sending Malicious Datas : –
Malicious datas can be sent by introducing CR and LF chars and include one request header in encoded format.
Lets say we want to send : –
HTTP/1.1 200 OK
<html>Security Tester Entry</html>
Encoding : –
URL encoded format : –
Tools Used : – cal9000
Sample url encoded data : –
Replace the “%0a” with “%0d%0a” which indirectly suggests start from the beginning character of the next new line.
Updated encoded data : –
-hit search and notice , it will detect the attack.
HTTP response splitting can cause Web Cache poisoning and various other attacks like XSS.
Solutions : –
All the GET/POST parameters should be filtered for CR and LF chars before responding from the server side.
Posted on August 21, 2013, in Manual Testing, Web Security Testing and tagged CRLF Attack, HTTP Response Splitting, Krushna Prasad Subudhi, List of HTTP header fields, List of HTTP status codes, Manual Testing, Mindfire Solutions, Security Testing, User agent, Web Security Testing. Bookmark the permalink. Leave a comment.