Introduction to HTTP response splitting attacks (1)

Bkjia.com exclusive Article] In this article, we will discuss what HTTP response splitting is and how attack behavior is carried out. Once we fully understand the principle of its occurrence, this principle is often misunderstood.) We can explore how to use response splitting to execute cross-site scripting (XSS ). Next, we will naturally discuss how to use this server to organize cross-site forgery (CSRF) attacks if the target website has a response splitting vulnerability. Finally, let's take a look at the preventive measures that can defend against these attacks. If you are interested in this topic, you may wish to continue reading it.

What is HTTP Response Splitting?

First, let's imagine a page with multiple language options. The default language of this page is English, but it also has a drop-down menu, allowing us to switch the language of the entire page at the same time after selecting the corresponding language. For example, according to the initial page configuration, 302 points back to the result of a http://www.abc.com/index.php? Lang = en. But for users from Germany, of course they want the page content to be displayed in German, then they can select from the drop-down menu in the alternate language. This causes 302 to point again to the German page that will be sent to the server-http://www.abc.com/index.php? Lang = german. The user's browser will follow the redirection and display the German page normally.

Now let's think about the subject content that HTTP 302 points back to the response. The content is as follows:

 
 

  
  
HTTP/1.1 302 Moved Temporarily  
  
  
Location: http://www.abc.com/index.php?lang=en 
 
 

Or:

 
 

  
  
HTTP/1.1 302 Moved Temporarily  
  
  
Location: http://www.abc.com/index.php?lang=german 
 
 

You may have discovered that the only change is the lang parameter value. That is to say, this value is controlled by the user. We can set this value to any desired content. This feature causes the occurrence of HTTP response splitting attacks.

In this case, we do not set the parameter value to "german", but set it according to the following content:

 
 

  
  
A) The value 'German'
  
  
B) CR/LF-% 0d % 0a
  
  
C) A response with Content Length 0 [the reason why the Length is set to 0 is that this section does not matter.]
  
  
D) CR/LF-% 0d % 0a
  
  
E) A response which contains malicious content [for example, JavaScript can be set to automatically download malware when the page is accessed]
 
 

Let's take a look at the content of c)-this is the first response. The way HTTP works is that a request corresponds to a response, so the request -- that is, the http://www.abc.com/index.php? Lang = german's response is carefully designed. In fact, we don't care about the response itself and its Content. All we want is to set Content-Length: 0 as its response header.

CR/LF is the line break between response. So as long as we add CR/LF content as shown in d), the second round of response will start, and this is completely normal according to the HTTP protocol. In the next round of response, we can add a large amount of information. For example, if we want to display a message "Hello, you have been phished", which means "Hello, you are already lucky"), there is no obstacle in front of us. You only need to enter the following content for easy implementation:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 41
Hello, you have been phished

I still feel a little confused? Let's summarize it again. The attacker controls the parameters and sends a request that will generate two responses. Both responses are organized by the attacker and target the server. The first response is intended to respond to requests that convert the page to German, while the second response is so far) without explanation, it only suspends temporarily because the response does not have a corresponding request mapped. Remember that HTTP requires a response regardless of the Content Code), but it requires a response that corresponds to all requests. Therefore, the pending HTTP response cannot work.

Please read carefully... Because this is exactly what most people haven't figured out for a long time. .

Assume that the request sent by him is:

GET /branches.html HTTP/1.1
Host: www.abc.com

After sending the first request containing the "customizable content" parameter, the system immediately sends the second request, which is exactly "Hello, you have been phished "field ing object. The two requests correspond to two responses. Do you understand?

Haha, I'm afraid you are still confused. Although you may already know the entire ing process, you still don't understand how this attack affects others. After all, all the actions taken by the attacker occur on his own computer, and the modified requests are limited to him... That is to say, only one of them will be affected. To be honest, why should attackers attack themselves? This seems unreasonable.However, I want to point out that this is a key link for proxy servers or some devices located in the intermediate frame and cache to accept requests and responses.

Attackers must hide behind the proxy server and use the proxy to send their requests to the target server on the Internet. If he wants to infect other users, these victims must also be placed after the same proxy server. Therefore, Let's sum up again to maintain patience ...)

A) the attacker sends a request containing one value and two responses, which are separated by % 0d % 0a. In this example, the request content is as follows:

http://www.abc.com/index.php?lang=german%0d%0aContent- Length:%200%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2041%0d%0aHello, you have been phished

B) The request is sent at www.abc.com... But it is important that it is passed through the intermediate proxy server. Therefore, on the proxy server, the first request is mapped to the first response, and the second response is suspended because no matching request is available.

C) after the first request is sent, the attacker will immediately send a new second request to the target website through the proxy server). The content is as follows:

GET /branches.html HTTP/1.1
Host: www.abc.com

After receiving branches.html, The d)agent immediately maps it to the second response, that is, 'you have been phished ').The requests sent to branches.html will not show the bank's branch list, but direct to malicious web pages. Yes, this is true for every visitor, not just for attackers.. Why? Because this is exactly how the cache proxy server is processed... The cache response is frequently requested. Also, if a request sent to branches.html always generates a static list of information about the bank branch, the proxy server will almost certainly call the cache to respond to the request. In other words, a request to branches.html will automatically return a response from the cache. Under the attacker's arrangement, the proxy server's cache content is infected and forced to return malicious responses rather than the original static list ...... This situation continues until the cache expires.

We hope that after the above detailed introduction, you will have a clear concept of HTTP response splitting. This is the top priority of the article, so read it several more times. The key lies in that the second request sent by the attacker will force the proxy server to follow the ing mode corresponding to the second response of the second request. Once you understand this, the entire concept should be clearer.