Embed Size (px)
DESCRIPTION
HTTP Response Splitting or CRLF injection is an attack technique which enables various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and our favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case, input containing malicious or unexpected characters. The talk will cover the concept of the attack and will take you through some use cases.
Citation preview
HTTP Response Splitting
By Sharath Unni@haxorhead
Involved parties
Root problem
Example
Web cache poisoning
XSS
Other derived attacks
Recommendations
Contents
There are always 3 parties (atleast) involved
Web server: hosts the application, with the vulnerability. (Tomcat, Apache, IIS etc.)
Target: An entity that interacts with the web server on behalf of the client. Eg: squid proxy
Attacker: initiates the attack
Involved parties
Failure to reject illegal user input Specifically input containing CR and LF
characters Carriage Return and Line Feed - %0d%0a (\
r\n) The data (user input) is included in an HTTP
response header without any validation. HTTP connection sharing Caching – less control over the site content,
improve performance, speed etc.
Root problem
Normal request:
http://www.the.site/new_page.asp?lang=german
Normal response:
HTTP/1.0 302 RedirectLocation: http://www.the.site/new_page.asp?lang=germanConnection: Keep-AliveContent-Length: 0
Example
Request (attacker):
http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Pwned!</html>
Response:
HTTP/1.0 302 RedirectLocation: http://www.the.site/new_page.asp?lang=FooConnection: Keep-AliveContent-Length: 0
HTTP/1.0 200 OKContent-Type: text/htmlContent-Length: 20
<html>Pwned!</html>Connection: Keep-AliveContent-Length: 0
Example
Attack overview:
Attacker sends 2 requests: 1. HTTP response splitter (with %0d%0a) 2. An innocent request
Proxy will match 1st request -> 1st reponse
2nd request (innocent) -> 2nd response in cache (Pwned!)
Web cache poisoning
Basic Concept
Attack sequence
9
302
302
200 (Pwned!)
1st attacker request (response splitter) 1st attacker request
(response splitter)
2nd attacker request(innocent /index.html)
2nd attacker request(innocent /index.html)
200 (Pwned!) 200
(Welcome)
XSS: The second response is controlled by the attacker and JavaScript or HTML code can be inserted.
Cross-Site Scripting
Evade CSP – Content Security Policy – instructs the client browser from which location and/or which type of resources are allowed to be loaded
Certain browsers will interpret the first occurrence of HTTP header
HTTP Response header
Content-Security-Policy: X-Content-Security-Policy
Lang=en_US%0d%0aX-Content-Security-Policy: allow *
CSP evasion via CRLF
CSP evasion
CSP evasion
For developers:◦ Validate user input and remove CRLF characters
(particularly when setting cookie and redirecting)
For proxy vendors:◦ Avoid sharing server TCP connections among
different virtual hosts.◦ Maintain request host header correctly from the
URL and not from the Host header.
Recommendations
Thank you@haxorhead
