What is HTTP Response splitting?

Asked

Viewed 907 times

20

Reading about HTTP headers I ended up coming across a function filter that removed both invalid characters from the header field value (header field), how many multiple characters CRLF. This second on the pretext of avoiding the HTTP Response splitting. From what I understand superficially, this attack consists in you defining the value of the field containing at least two CRLF and thus having full control of the request body.

For example:

Fake: foo\r\n\r\nHello world

This header field would be interpreted as:

Fake: foo

Hello world

Where, then, Hello world would be interpreted as the body of the request due to the blank line separating the headers from the content, see HTTP specification. Or better, if the HTTP response has something like:

HTTP/1.1 200 OK
Fake: foo\r\n\r\nHTTP/1.1 200 OK\r\n\r\nHello World

Will be interpreted as:

HTTP/1.1 200 OK
Fake: foo

HTTP/1.1 200 OK

Hello World

That is, two distinct HTTP responses, which defines the name Sponse splitting.

  • HTTP Response splitting it’s either that or I got it wrong?
  • What would be the risks for the application not to treat this vulnerability?
  • Servers, like Apache and Nginx, already have some kind of security against this?

If possible, give examples of requests that make use of HTTP Response splitting to take advantage of the server vulnerability.

security-guard http http-headers

  • It’s not really an answer to all your questions, but it’s still a header injection. Only happens if you use some value typed by the user in a header untreated. That is, it is a security issue at the application level. The risk is to allow an attacker to return what they want using a endpoint your. On your last question, I believe this should be dealt with at the application level and not directly on the server. It is the responsibility of your application to treat the headers, potentially with URL encoding.

2 answers

4


According to the OWASP, the attack HTTP response splitting is a means to an end, not an end in itself - that is, it is a gap used to carry out other types of attack. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application and the application includes the data in an HTTP response header.

"HTTP Response splitting" occurs when:

  • Data enters a web application through an unreliable source, most often it is an HTTP request.
  • Data is included in an HTTP response header sent to a web user without being validated for malicious characters.

To mount a successful attack, the application must allow entry that contains CR characters (Carriage, Return, represented by %0d or \r) and LF (line feed, represented by %0a or \n) in the header and the underlying platform shall be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and the body of the response the app intends to send, but also allow them to create additional responses under their control.

I believe that, in general, this vulnerability has been fixed on most modern application servers, regardless of the language in which the code was written. At least on the pertinent issues I found in https://security.stackexchange.com/search?q=HTTP+Response+Splitting (Security-oriented Stack Exchange community) almost all are not necessarily an attack. But some have in common the fact that they use loopholes in proxy and not necessarily the web server itself, so it is still possible that these attacks occur today.

If you are concerned about this risk you should test on your current platform whether it allows CR or LF characters to be injected into headers. The example below uses an example of Java, but this problem has been fixed on virtually all modern Java EE application servers. If you are concerned about this risk, you should test on the worry platform to see if the underlying platform allows CR or LF characters to be injected into headers.

For a practical example let’s take the request:

 HTTP/1.1 200 OK
 Date: Thu, 13 Jul 2017 02:02:45 GMT
 Last-Modified:Mon, 10 Jul 2017 21:30:06 GMT
 Accept-Ranges:  none
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Cookie: test=114&username=João

 <html>
 [...]

However, as the cookie value is formed from non-validated user input I can change my user name 'John' and include CRLF (as explained above) in the field. An attacker could then inject malicious content into the page, for example, it would be possible to configure the username for 'João r n r r r r r r r r r r r r r r r r r r r r r r r n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n:

 HTTP/1.1 200 OK
 Date: Thu, 13 Jul 2017 02:02:45 GMT
 Last-Modified:Mon, 10 Jul 2017 21:30:06 GMT
 Accept-Ranges:  none
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Cookie: test=114&username=João

 <script>conteúdo malicioso ... </script>
 <html>
 ...

In this example a Javascript code was injected into the page. This is a form of XSS/DOM injection through the attack of "splitting" but not necessarily a HTTP response splitting, but uses the same technique to inject some malicious code into the page.

Let’s now for example change the malicious code to something like "John r n r nContent-Length: 45 r n r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r r... ", the HTTP response would be divided into an imposter response followed by the original answer, which is now ignored:

 HTTP/1.1 200 OK
 Date: Thu, 13 Jul 2017 02:02:45 GMT
 Last-Modified:Mon, 10 Jul 2017 21:30:06 GMT
 Accept-Ranges:  none
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Cookie: test=114&username=João
 Content-Length: 45

 <html>conteúdo malicioso ... </html>
 <html>conteúdo original começa após o 46º caracter e é ignorado.[...]

On an unprotected server you could send CRLF characters through querystring:

http://www.yoursite.com/somepage.php?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E

The client would see the result of the script, which in this case is a simple Alert:

<script>alert(1)</script>

If by doing a test like this in your application, and it is possible to see the Alert your system is vulnerable to CRLF injection, then vulnerable to HTTP response splitting.

The attacker’s ability to build HTTP responses by using HTTP response splitting, allows several other resulting attacks, including: Cross-User Defacement, Cache Poisoning, Cross-site Scripting (XSS) and Page Hijacking.

  • Doubt: This cache Poisoning occurs when the application caches the modified response and thus all users of the application are affected when accessing the cached page?

  • @Andersoncarloswoss Only if the cache is external (an ISP cache server or proxy server for example) could it be affecting more than one user. The private cache (service worker, disk cache, etc) is stored on the client’s computer, affecting only one specific client.

2

One cannot have two Sponses for a request. The name comes from the possibility of returning two contents in the same Answer - one false and the other true, but this second will be ignored.

Using the Wikipedia example HTTP Response Splitting:

If you make a request where the return is based on querystring, for example:

GET /consoto.com/author/Jane+Smith
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
...

If the same request is made with CR+LF injection:

GET /contoso.com/author/Jane+Smith\r\nContent-Length:45\r\n\r\n...
...
Set-Cookie: author=Jane Smith
Content-Length: 999

<html>conteúdo malicioso...</html> (até 999 caracteres neste exemplo)

The original content of Response will start from the 1000 character, which will be ignored by the browser.

Imagine your application to display your user profile data is something /usuarios/Anderson+Woss, an attack would create a URL /usuario/Anderson+Woss+<um formulario pedindo dados bancários> and send to thousands of emails. Using your domain and your credibility for illicit advantages.

There is no reason for web publishers to "protect" themselves from this, as it is possible that this is a valid request for your application. Depends on your business.

To prevent this, there are resources of HTTP Filters. This in any web technology. And there you can prevent this kind of exploit.

  • And the most important question: what are the potential risks to the application? Because from what I understand both answers will only be delivered to the attacker, so what would be the problem?

  • 1

    Imagine your application to display your user profile data is something /usuarios/Anderson+Woss, an attack would create a URL /usuario/Anderson+Woss+<um formulario pedindo dados bancários> and send to thousands of emails. Using your domain and your credibility for illicit advantages.

  • if this is relevant to the question, please insert it directly in the reply, not in the comments.

  • 1

    All right, there it is.

  • That negatived, please express yourself.

Browser other questions tagged security-guard http http-headers

You are not signed in. Login or sign up in order to post.