WebApp Sec mailing list archives
Re: XSS or HTTP Response Splitting?
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Tue, 04 Jan 2005 23:11:48 +0200
On 2 Jan 2005 at 11:15, Joxean Koret wrote:
My question is the following: What is the main difference between XSS and HTTP Response Splitting? May be that HTTP Response Splitting errors modifies the headers and XSS modifies document content?
Basically - Yes. To be more precise: HTTP Response Splitting is aimed at splitting the HTTP response message into two (as would be interpreted by the receiver - e.g. a cache server or a browser). Therefore, the injection must take place at the HTTP response headers. Typically the injection would include a Content-Length header that modifies the size of the (first) message, followed by data which is interpreted as the second message. XSS, on the other hand, is aimed at changing the HTML page the reciever would interpret, so the injection typically happens at the response body (although it is of course possible to perform XSS when the injection happens at the HTTP response headers, if the response status is 2xx). Of course, there's a significant difference in the impact of the two attacks. With HTTP Response Splitting, you CAN do XSS (particularly in the case wherein the response status is 3xx, in which case you can't normally do XSS), but you can also do much more, e.g. web cache poisoning and peeking at other people's data (response pages). Happy new year, -Amit ------- End of forwarded message -------
Current thread:
- XSS or HTTP Response Splitting? Joxean Koret (Jan 02)
- <Possible follow-ups>
- Re: XSS or HTTP Response Splitting? Amit Klein (AKsecurity) (Jan 06)
- Vulnerability statistics Benjamin Livshits (Jan 06)
- Re: Vulnerability statistics Jeremiah Grossman (Jan 07)
- Vulnerability statistics Benjamin Livshits (Jan 06)