This article mainly introduces the HTTP response split for PHP web site, standing at the attacker's point of view, to show you the HTTP response split.
Format of the HTTP request
1) Request Information: For example "get/index.php http/1.1", request index.php file
2) Header: For example "Host:localhost", indicating the server address
3) Blank line
4) Information body
Both the request information and the header must end with a newline character (CRLF), and the blank line can contain only line breaks and no other whitespace.
The following example sends an HTTP request to the server www.yhsafe.com
get/index.php http/1.1//Request Information
Host:www.yhsafe.com//table header
The space line symbol indicates the return key, and after a blank line the HTTP request is sent after a space, only the host header in the header of the HTTP request is necessary, and the rest of the HTTP headers are based on the content of the HTTP request. Method of HTTP request 1) GET: Request response 2) HEAD: The same response as GET, only requires response header 3) POST: Send data to the server for processing, Data contained in HTTP message body 4) PUT: Upload file 5) Delete: Delete file 6) Trace: Trace received request 7) options: Return to the HTTP request supported by the server 8) Connect: Convert HTTP request connection to transparent tcp/ The format of the IP channel HTTP response the server sends the following response after it has processed the HTTP request made by the client. 1) The first line is the status Code 2) the second line starts with the other information the status code contains a number that identifies the state and a word that describes the status. For example: http/1.1 OK200 is the number that identifies the status, OK is the word that describes the status, and the status code identifies the request successfully.
Examples of HTTP requests and responses
Open cmd input telnet, enter open www.00aq.com 80
Enter after opening the connection
get/index.php http/1.1
Host:www.00aq.com
Returns the header of the HTTP response
Back to home page content
Use PHP to send HTTP requests
Header function can be used to send HTTP request and response headers
Function prototypes
void header (String string [, bool replace [, int http_response_code]])
String is an HTTP table header
If replace is true, indicates that a previous similar header is to be replaced with the current table header, and if replace is false, the default value is true to use multiple similar headers
Http_response_code used to force HTTP response codes to use Http_response_code values
Instance:
- Open an Internet socket connection
- $fp = Fsockopen (www.00aq.com, n);
- Write HTTP request Header
- Fputs ($fp, "get/http/1.1\r\n");
- Fputs ($fp, "host:www.00aq.com\r\n\r\n");
- The string for the HTTP response
- $http _response = "";
- while (! Feof ($fp))
- {
- Reads a 256-bit HTTP response string
- $http _response. = fgets ($fp,);
- }
- Turn off the Internet socket connection
- Fclose ($fp);
- displaying HTTP response information
- echo nl2br (htmlentities ($http _response));
- ?>
HTTP response split attack
The HTTP response split is due to an attacker's well-designed use of e-mail or links to allow the target user to generate two responses with one request, the previous response being the server's response, and the second being the attacker's designed response. This attack occurs because the Web program places the consumer's data in the HTTP response header, and the data of those users is well-designed by an attacker.
The functions that may be affected by the HTTP request response split include the following:
Header (); Setcookie (); session_id (); Setrawcookie ();
The HTTP response split typically occurs in:
Location Header: Writes the consumer's data to the redirected URL address
Set-cookie Header: Write user data to cookies
Instance:
- Header ("Location:".) $_get[' page ']);
- ?>
Request
Get/location.php?page=http://www.00aq.com http/1.1
Host:localhost
Return
http/1.1 302 Found
date:wed, Jan 03:44:24 GMT
server:apache/2.2.8 (WIN32) php/5.2.6
x-powered-by:php/5.2.6
Location:http://www.00aq.com
content-length:0
Keep-alive:timeout=5, max=100
Connection:keep-alive
Content-type:text/html
Visit the link below and a login window will appear directly
Http://localhost/location.php?page=%0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type: %20text/html%0d%0acontent-length:%20158%0d%0a%0d%0a Account%20 Password%20
Convert to a readable string:
Content-type:text/html
http/1.1 OK
Content-type:text/html
content-length:158
An HTTP request produced two responses
The precautionary approach:
1) Replace CRLF with newline characters
- Header ("Location:".) strtr ($_get[' page '), array ("\ r" = ", " \ n " = " ")");
- ?>
2) Use the latest version of PHP
In the latest version of PHP, newline characters are not allowed in the HTTP header
Hide HTTP Response Headers
Apache in httpd.conf, option Servertokens = Prod, serversignature = Off
PHP in php.ini, option expose_php = Off