HTTP Response Splitting [CWE-113] — The Hacktivists

1. Description
………………………………

This weakness occurs when software accepts data from an upstream provider but does not neutralize or incorrectly neutralizes CR and LF characters before including data into HTTP response headers. This provides an attacker with the ability to inject arbitrary headers into the HTTP response, which is sent to a client. As a result, an attacker might be able to modify the contents of the HTTP response by means of unexpected CR (carriage return — %0d or \r) and LF (line feed — %0a or \n) characters and send to the browser two different HTTP responses instead of one. The attacker, who controls the second HTTP response, can perform different attacks such as cache poisoning and cross-site scripting.

use CGI qw(:standard);
my $value = param('cookie');
print "Content-type: text/plain\n";
print "Set-Cookie: cookie=$value\n";
GET /test.pl?page=/index.html HTTP/1.1
HOST: testhost.local
Referer: testhost.local
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None
HTTP/1.1 302 Found
Date: Fri, 07 Sep 2012 17:02:45 GMT
Server: Apache
Location: /index.html
Content-Length: 0
Connection: close
Content-Type: text/html; charset=Windows-1252
GET /test.pl?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3ECSRF%3C/font%3E%3C/html%3E HTTP/1.1
HOST: testhost.local
Referer: testhost.local
ACCEPT: */*
Accept-Encoding: None
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Close
Accept-Transfer-Encoding: None

2. Potential impact
………………………………

An attacker might be able to perform cross-site scripting, phishing and cache poisoning attacks. This weakness is a significant threat for high load servers that use caching proxies to deliver content to the end-users. One request sent by an attacker can be cached and displayed to all visitors of a webpage. As a result, an attacker might be able to gain access to potentially sensitive data and perform different attacks against website users.

3. Attack patterns
………………………………

CAPEC has the following patterns for this weakness:

4. Affected software
………………………………

Any software that uses input data to construct headers is potentially vulnerable to this weakness. In most cases, these are web applications, web servers, caching proxies.

5. Severity and CVSS Scoring
……………………………………..

Depending on potential damage this weakness could impact the integrity of the application and is usually scored as:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N] — Medium severity.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
The Hacktivists

The Hacktivists

Contact us for Information Security Services & Training https://thehacktivists.in/