HTTP Response Splitting

Similar documents
Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Cross Site Scripting in Joomla Acajoom Component

Anatomy of a Pass-Back-Attack: Intercepting Authentication Credentials Stored in Multifunction Printers

Introduction to Computer Security

Cyber Security Workshop Ethical Web Hacking

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Check list for web developers

What is Web Security? Motivation

COMP 112 Assignment 1: HTTP Servers

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

HTTP Protocol. Bartosz Walter

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Web Application Security

Client Side Filter Enhancement using Web Proxy

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Hypertext for Hyper Techs

Web Application Security

The Hyper-Text Transfer Protocol (HTTP)

(WAPT) Web Application Penetration Testing

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Recommended Practice Case Study: Cross-Site Scripting. February 2007

International Journal of Engineering & Technology IJET-IJENS Vol:14 No:06 44

Lecture 11 Web Application Security (part 1)

HTTP Caching & Cache-Busting for Content Publishers

Hack Proof Your Webapps

LBL Application Availability Infrastructure Unified Secure Reverse Proxy

Gateway Apps - Security Summary SECURITY SUMMARY

Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web Services April 21st, 2009 with Hunter Pitelka

Application Security Testing. Generic Test Strategy

Information Extraction Art of Testing Network Peripheral Devices

Using SAML for Single Sign-On in the SOA Software Platform

Alteon Browser-Smart Load Balancing

Magento Security and Vulnerabilities. Roman Stepanov

A Tale of the Weaknesses of Current Client-side XSS Filtering

CTIS 256 Web Technologies II. Week # 1 Serkan GENÇ

Guidelines for Web applications protection with dedicated Web Application Firewall

Research of Web Real-Time Communication Based on Web Socket

Playing with Web Application Firewalls

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

Cross-Site Scripting

ivoyeur: permission to parse

Network Technologies

The Top Web Application Attacks: Are you vulnerable?

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

Chapter 2: Interactive Web Applications

Web Application Security Considerations

Web Security Testing Cookbook*

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

Playing with Web Application Firewalls

ICSA Labs Web Application Firewall Certification Testing Report Web Application Firewall - Version 2.1 (Corrected) Radware Inc. AppWall V5.6.4.

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

Criteria for web application security check. Version

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

All You Can Eat Realtime

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5

Hack Yourself First. Troy troyhunt.com

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Ethical Hacking as a Professional Penetration Testing Technique

Network Security Testing using MMT: A case study in IDOLE project

Uploaded images filter evasion for carrying out XSS attacks

An Insight into Cookie Security

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

Web application security: Testing for vulnerabilities

Introduction Les failles les plus courantes Les injections SQL. Failles Web. Maxime Arthaud. net7. Jeudi 03 avril 2014.

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Chapter 7. Web Application Firewall

Secure Web Development Teaching Modules 1. Threat Assessment

Phishing by data URI

Architecture of So-ware Systems HTTP Protocol. Mar8n Rehák

Package httprequest. R topics documented: February 20, 2015

Combating Web Fraud with Predictive Analytics. Dave Moore Novetta Solutions

Arnaud Becart ip- label 11/9/11

WEB ATTACKS AND COUNTERMEASURES

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Essential IT Security Testing

Java Web Application Security

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

The Web History (I) The Web History (II)

Web application security

1. When will an IP process drop a datagram? 2. When will an IP process fragment a datagram? 3. When will a TCP process drop a segment?

Security features of ZK Framework

Transcription:

The Attack HTTP Response Splitting is a protocol manipulation attack, similar to Parameter Tampering The attack is valid only for applications that use HTTP to exchange data Works just as well with HTTPS because the entry point is in the user visible data There are a number of variations on the attack 2

The Attack An HTTP message response includes two parts : Message Headers metadata that describes a request or response oeach terminated by a carriage return (\r) and a linefeed (\n) GET http://www.google.com/ HTTP/1.1\r\n Host: www.google.com\r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.0.1; Google-TR-5.7.806.10245-en) Gecko/2008070208 Firefox/3.0.1 Paros/3.2.13\r\n Accept: text/html,application/xhtml+xml,application/xml; q=0.9,*/*;q=0.8\r\n Accept-Language: en-us,en;q=0.5\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Proxy-Connection: keep-alive\r\n 3

The Attack Then the Message Body which is the raw data of the response <HTML>\r\n <HEAD>\r\n <TITLE>Your Title Here</TITLE>\r\n </HEAD>\r\n <BODY>\r\n </BODY>\r\n </HTML>\r\n 4

The Attack The Message Headers are also separated from the message body a carriage return/linefeed pair GET http://www.google.com/ HTTP/1.1 \r\n Host: www.google.com \r\n User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.9.0.1; Google-TR- 5.7.806.10245-en) Gecko/2008070208 Firefox/3.0.1 Paros/3.2.13 \r\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \r\n Accept-Language: en-us,en;q=0.5 \r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 \r\n Keep-Alive: 300 \r\n Proxy-Connection: keep-alive \r\n \r\n <HTML> <HEAD> <TITLE>Your Title Here</TITLE> 5

The Attack Those two consecutive carriage-return-linefeed pairs are the source of HTTP response splitting vulnerabilities The HTTP response splitting vulnerability is not the attack, it is simply the path that makes it possible The key to the attack is ability for an attacker to modify the message headers HTML is stateless, so neither the web server nor the browser has any problem with this seemingly odd behavior Why didn't the creators of HTTP think about this? 6

The Attack Example Let s understand how a normal page redirection works in HTTP Example: A page containing a redirect script: A request like: would redirect to: protected void processrequest(httpservletrequest arequest, HttpServletResponse aresponse) throws ServletException, IOException { redirect( http://www.new-url.com, aresponse); } http://www.bank.com/offer.jsp?page=http://www.bank.com/freechecking How do the headers work behind the scenes? http://www.bank.com/freechecking 7

The Attack Example Under the hood, the request is GET /latestoffer.jsp?page=http://www.bank.com/freechecking HTTP/1.1\r\n Host: www.bank.com \r\n \r\n The server responds with an HTTP 302 (redirect) HTTP/1.1 302 Found \r\n Location: http://www.bank.com/freechecking \r\n NOTE: THIS COULD BE THE USER INPUT IN HEADER \r\n 8

The Attack Example The browser then fetches the new page GET / HTTP/1.1 \r\n Host: http://www.bank.com/freechecking \r\n \r\n The server responds with HTTP 200 (found) and the page HTTP/1.1 200 OK \r\n \r\n 9

The Attack Example But the user can input something that terminates the response and initiates an attack /latestoffer.jsp?page=foobar%0d%0acontent- Length:%200%0d%0d%0a%0aHTTP/1.1%20200%20OK%0d %0aContent-Type:%20text/html%0d%0a Content-Length:%2019%0d%0a%0d%0a<html>Attack</html> %0d%0a is the URL encoding of the \r\n Remember that you need two \r\n sequences between the headers and the body 10

The Attack Example Which results in HTTP/1.1 302 Moved Temporarily Location: http://www.mybank.com/latestoffer.jsp?page=foobar Content Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 <<Anything you want>> Server: gws Content-Type: text/html Content-Length:%2019 <html>attack</html> } First } Second (inserted) HTTP response Superfluous data } HTTP response 11

The Attack Example The dangerous part of this, is <<Anything you want>> A script that can take over the user's browser or steal cookie information A redirection to a different host and web page A page that mimics another site and collect credentials It can poison the web cache leading to site defacement However, the exploit is not complete There are now two responses, but only one request The web server will simply hold the second response 12

The Attack - Example The attacker has to issue another request In the simplest case, simply send http://www.bank.com How the attacker does this is dependent on the situation and the attackers goals See the following example of cache poisoning 13

The Attack Cache Poisoning One goal of the attacker might be cache poisoning A site has a proxy server for web pages The attacker and victims are behind the proxy server Proxy Server Web Server Users and Attacker When a response is received by the proxy server, it saves it to answer future requests So the proxy server saves both responses from the attack If the second response defaces a real page, or creates a page with a malicious JavaScript embedded, everyone on the network will get it 14

The Attack Browser Cache Poisoning The attacker creates an HTTP Response Splitting attack based on a URL http://somesite.com/start.php?first=xxx<script> </script>&lang=fr%0d%0acontent-length:0%0d%0a HTTP/1.1%20200%20Found%0d%0aContent- Length:550%0d%0a and seduces a victim into clicking on it The web servers first response contains a Cross-site Scripting attack The script issues an Ajax request that sends the second request And the victim s web cache (and any proxy server) is poisoned 15

Consequences HTTP Response Splitting can lead to: Cross-site Scripting (XSS) attacks Cross User Defacement Web Cache Poisoning Page Hijacking Browser Cache Poisoning Browser Hijacking???? 16

Discovery Check for any data outside of the Trust Boundary that is used in any HTTP header Try inserting a carriage return/linefeed pair to see it is allowed to pass through If so, you have a vulnerability Be suspicious of redirects in code they often use information stored in the client Be aware that Post data can also be used in an attack It may be advantageous, because URL's have limited length It requires that the attack be perpetrated via a script so it is more difficult to implement 17

Remediation If there are values outside the Trust Boundary that are used in HTTP messages, Validate the values by whitelisting othey are only allowed to be certain values, nothing else ofor example, all language designators must be two alphabetic characters, exactly In the event that a subject parameter might be allowed to contain a CR/LF pair, URL encode all data in HTTP headers with the HTML entity reference \r => \n => This prevents them from being accepted as the control sequence \r\n 18

Avoidance Design Phase Identify all application inputs that could be used in HTTP headers Specify secure coding guidelines for handling the data Reduce the number of cases as much as possible to reduce the attack surface size Establish a test plan for validating that all cases are correctly remediated If client-side data is used to redirect or modify the HTTP headers, remap the data to an ordinal set on the server side oif there are 10 pages you can redirect to, change them to 'A'.. 'J' externally othis is essentially a look up table and prevents the attacker's content from being used in an attack 19

Avoidance Implementation Phase All inputs must be validated Be aware of any use of input data in HTTP headers and code accordingly Testing Phase Use dynamic analyzers to validate the application (they are good at finding this vulnerability) 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information