Re: XSS or HTTP Response Splitting?

["Amit Klein (AKsecurity)" <aksecurity () hotpop com>]

On 2 Jan 2005 at 11:15, Joxean Koret wrote:

> My question is the following: What is the main 
> difference  
> between XSS and HTTP Response  
> Splitting? May be that HTTP Response  
> Splitting errors modifies the headers and XSS 
> modifies document content?  

Basically - Yes. To be more precise:

HTTP Response Splitting is aimed at splitting the HTTP response 
message into two (as would be interpreted by the receiver - e.g. a 
cache server or a browser). Therefore, the injection must take place 
at the HTTP response headers. Typically the injection would include a 
Content-Length header that modifies the size of the (first) message, 
followed by data which is interpreted as the second message.

XSS, on the other hand, is aimed at changing the HTML page the 
reciever would interpret, so the injection typically happens at the 
response body (although it is of course possible to perform XSS when 
the injection happens at the HTTP response headers, if the response 
status is 2xx).

Of course, there's a significant difference in the impact of the two 
attacks. With HTTP Response Splitting, you CAN do XSS (particularly 
in the case wherein the response status is 3xx, in which case you 
can't normally do XSS), but you can also do much more, e.g. web cache 
poisoning and peeking at other people's data (response pages).

Happy new year,
-Amit
------- End of forwarded message -------