HTTP Response Splitting

 

HTTP Response Splitting

应用程序问题

 

WASC分类：Content Spoofing

 

参考：　http://www./projects/threat/classes/content_spoofing.shtml

 

错误等级：

         严重（High）

 

风险：

         可以偷盗或者操作用户Session和Cookie，这样攻击者可以扮演一个合法的客户进行操作。

         使服务器缓存中毒

 

技术说明：

         通常，应用程序在cookie中，或者URL转发时绑定用户数据。在这种情形下（用户输入绑定在HTTP Response Headers中），攻击者中断当前的返回（注入必要的HTTP Response Headers），添加他自己的附加的HTTP Response。攻击者能够重新编写通讯，采用这种方式：当额外的请求发送，产生额外的回应。这有2种方式进行利用：

1.       Cross Site Scripting
可以参见：http://www.360doc.com/showWeb/0/54/1280205.aspx

2.       Web缓存中毒：
强迫Web缓存机制缓存攻击者提供的数据

 

攻击方法：

        

When the application redirects the client based on client data (e.g. a parameter named "Lang"): <% Response.Redirect "/Homepage_by_lang.asp?language="+Request.QueryString("lang")) %>   Then sending the parameter lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2046%0d%0a%0d%0a<html><script>alert("hacked")</script></html>   yields two HTTP responses (and some leftovers after the second response): 【返回1： 正常返回，页面跳转】 HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Tue, 16 Dec 2003 14:44:18 GMT Location: http://127.0.0.1/Homepage_by_lang.asp?language=foobar Content-Length: 0 【返回2： 附加返回：你想干嘛就干嘛】 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 46 <html><script>alert("hacked")</script></html> Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>   As explained above, this can be used to either mount a cross site scripting attack, or a web cache poisoning attack.

 

        

 

 

 

 

HTTP Response Splitting

Application

 

WASC Threat Classification

       Client-side Attacks: Content Spoofing

       http://www./projects/threat/classes/content_spoofing.shtml

 

CVE Reference(s)

       N/A

 

Security Risks

       It is possible to deface the site content through web-cache poisoning

       It is possible to steal or manipulate customer session and cookies, which may be used to impersonate

       a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

 

Possible Causes

       Sanitation of hazardous characters was not performed correctly on user input

 

Technical Description

       Oftentimes, applications embed user data in cookie values or as part of a URL in a redirection response. In such situations (or in general, in situations where user input is embedded as-is in HTTP response headers), it is possible for an attacker to terminate the "current" response (by injecting the necessary HTTP response headers), and then to add his/her own additional complete HTTP response. The attacker can then orchestrate the traffic in such a way that when an additional request is sent it appears to generate the additional response. When an attacker succeeds in sending a crafted request, and it is responded with the crafted response, there are two (perhaps more) ways in which this condition can be exploited:

1.     Cross Site Scripting:
basically, the crafted (second response) would contain a malicious client side (e.g. Javascript) code, which can steal the client cookies and credentials. The attacker would send the client (victim) a page that will cause two HTTP requests to be sent to the vulnerable site. The first request "attacks" the web-site and causes the split HTTP response to be sent (that is, two HTTP responses will be sent back by the web server). Then, when the second HTTP request is sent by the browser, it (e.g. Internet Explorer) assumes the second HTTP response is the actual server response for the (second) request, thus it will render the content of the second response, and execute the malicious script.

2.     Web cache poisoning:
the objective, in this case, is to force a web cache on the path between the attacker and the web server to cache an attacker provided data as a resource that belongs to the vulnerable site.

 

Sample Exploit:

When the application redirects the client based on client data (e.g. a parameter named "Lang"):

<% Response.Redirect "/Homepage_by_lang.asp?language="+Request.QueryString("lang")) %>

 

Then sending the parameter lang=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2046%0d%0a%0d%0a<html><script>alert("hacked")</script></html>

 

yields two HTTP responses (and some leftovers after the second response):

HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Tue, 16 Dec 2003 14:44:18 GMT Location: http://127.0.0.1/Homepage_by_lang.asp?language=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 46 <html><script>alert("hacked")</script></html> Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private <head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="">here</a>.</body>

 

As explained above, this can be used to either mount a cross site scripting attack, or a web cache poisoning attack.

 

General Fix Recommendations

       There are several issues whose remediation lies in sanitizing user input.

       By verifying that user input does not contain hazardous characters, it is possible to prevent malicious users from causing your application to execute unintended operations, such as launch arbitrary SQL queries, embed Javascript code to be executed on the client side, run various operating system commands etc.