Difference between revisions of "HTTP Response Splitting"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
Line 12: Line 14:
 
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.
 
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.
  
== Severity ==
 
High
 
  
== Likelihood of exploitation ==
+
==Risk Factors==
Medium
+
  
==Examples ==
+
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this attack likely or unlikely to actually happen
 +
* You can mention the likely technical impact of an attack
 +
* The [business impact] of an attack is probably conjecture, leave it out unless you're sure
 +
 
 +
 
 +
==Examples==
  
 
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
 
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
Line 52: Line 56:
 
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.
 
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.
  
==External References==
+
==Related [[Threat Agents]]==
 
+
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting
+
 
+
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting
+
 
+
 
+
==Related Threats==
+
  
 
[[Client-side attacks]]
 
[[Client-side attacks]]
  
  
==Related Attacks==
+
==Related [[Attacks]]==
  
 
*[[Cross-User Defacement]]
 
*[[Cross-User Defacement]]
Line 72: Line 69:
  
  
==Related Vulnerabilities==
+
==Related [[Vulnerabilities]]==
  
 
[[:Category:Input Validation Vulnerability]]
 
[[:Category:Input Validation Vulnerability]]
  
  
==Related Countermeasures==
+
==Related [[Controls]]==
  
 
[[:Category:Input Validation]]
 
[[:Category:Input Validation]]
 +
 +
 +
==References==
 +
 +
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting
 +
 +
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting
  
  
Line 90: Line 94:
  
 
[[Category: Attack]]
 
[[Category: Attack]]
 +
 +
__NOTOC__

Revision as of 16:44, 25 May 2008

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/25/2008

Description

HTTP response splitting vulnerabilities occur when:

  • Data enters a web application through an untrusted source, most frequently an HTTP request.
  • The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.


Risk Factors

  • Talk about the factors that make this attack likely or unlikely to actually happen
  • You can mention the likely technical impact of an attack
  • The [business impact] of an attack is probably conjecture, leave it out unless you're sure


Examples

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

	String author = request.getParameter(AUTHOR_PARAM);
	...
	Cookie cookie = new Cookie("author", author);
        cookie.setMaxAge(cookieExpiration);
        response.addCookie(cookie);

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

	HTTP/1.1 200 OK
	...
	Set-Cookie: author=Jane Smith
	...

However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:

	HTTP/1.1 200 OK
	...
	Set-Cookie: author=Wiley Hacker
	
	HTTP/1.1 200 OK
	...

Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.

Related Threat Agents

Client-side attacks


Related Attacks


Related Vulnerabilities

Category:Input Validation Vulnerability


Related Controls

Category:Input Validation


References

http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting

http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting


Credit

This article includes content generously donated to OWASP by Fortify.JPG.