HTTP protocol Header Injection Vulnerability instance

The HTTP response header file contains unverified data that will cause cache-poisoning, cross-site scripting, Cross-user defacement, page hijacking, cookie Manipulation or open redirect.

HTTP protocol Header Injection Vulnerability principle

The HTTP protocol header injection vulnerability is present in the following scenarios: 1. The data enters the WEB application through an unreliable data source, most commonly HTTP requests. 2. The data is contained in an HTTP response header file, which is sent to the Web user without verification.

One of the most common Header manipulation attacks is the HTTP Response splitting. In order to successfully implement Http Response splitting theft, the application must allow characters that contain CR (carriage return, specified by%0d or \ r) and LF (newline, by%0a or \ n) to be entered into the header file.

By exploiting these characters, an attacker can control not only the remaining header files and the body of the response that the application sends, but also other responses that are completely under their control.

HTTP protocol Header Injection Vulnerability instance

1 <? PHP 2     $location $_get [' Some_location ']; 3     Header $location"); 4 ?>

Assuming that a string consisting of a standard alphanumeric character, such as "index.html", is submitted in the request, the HTTP response containing the cookie may appear in the following form:

http/1.1-ok...location:index.html ...

However, because the value of the location consists of unauthenticated user input, the response retains this form only if the value that is submitted to some_location does not contain any CR and LF characters.

If the attacker commits a malicious string, such as:

"index.html\r\nhttp/1.1 ok\r\n ..."

Then this HTTP response is split into two responses in the following form:

http/1.1 oklocation:index.htmlhttp/1.1 ...

Obviously, the second response is completely under the control of the attacker, who can build the response with the desired header file and body content. An attacker could build any HTTP response to initiate multiple forms of attack.

HTTP protocol Header Injection Vulnerability solution

Many modern application servers today can prevent HTTP header files from infecting malicious characters.

For example, when a new row is passed to the header () function, the latest version of PHP generates a warning and stops creating the header file. If your PHP version is able to block header files with line breaks, it has the ability to defend against HTTP Response splitting.

Common solutions at the code level:

1. Strictly check if the variable is already initialized
2. Filter the carriage return line (%0d%0a,%0d%0a) characters in the code that sets the HTTP response header
3. Disallow parameters in the header () function to be controlled externally

HTTP protocol Header Injection Vulnerability instance