Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) - Revision history

Andrew Muller: Andrew Muller moved page Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) to Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)

2014-08-08T12:05:12Z

Andrew Muller moved page Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017) to Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016)

Andrew Muller at 16:49, 31 July 2014

2014-07-31T16:49:00Z

Andrew Muller: Andrew Muller moved page Testing for HTTP Splitting/Smuggling (OWASP-DV-016) to Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017): Align with Common Numbering

2014-07-31T14:39:22Z

Andrew Muller moved page Testing for HTTP Splitting/Smuggling (OWASP-DV-016) to Testing for HTTP Splitting/Smuggling (OTG-INPVAL-017): Align with Common Numbering

Jane O'Connor: Final edit

2014-05-19T10:46:00Z

Final edit

Show changes

Shady: References

2013-05-12T17:36:23Z

References

Mmeucci at 14:53, 9 October 2012

2012-10-09T14:53:44Z

Ingo86 at 13:45, 2 April 2009

2009-04-02T13:45:45Z

KirstenS: /* References */

2009-02-09T22:31:56Z

‎References

KirstenS: /* HTTP Splitting */

2009-02-09T22:28:25Z

‎HTTP Splitting

KirstenS: Testing for HTTP Exploit (OWASP-DV-016) moved to Testing for HTTP Splitting/Smuggling (OWASP-DV-016)

2008-12-15T22:39:21Z

Testing for HTTP Exploit (OWASP-DV-016) moved to Testing for HTTP Splitting/Smuggling (OWASP-DV-016)

@@ Line 1: / Line 1: @@
 {{Template:OWASP Testing Guide v4}}
-== Brief Summary ==
+== Summary ==
 This section illustrates examples of attacks that leverage specific features of the HTTP protocol, either by exploiting weaknesses of the web application or peculiarities in the way different agents interpret HTTP messages.
 <br>
 This section will analyze two different attacks that target specific HTTP headers:
 *HTTP splitting
@@ Line 16: / Line 15: @@
 In the second attack, the attacker exploits the fact that some specially crafted HTTP messages can be parsed and interpreted in different ways depending on the agent that receives them. HTTP smuggling requires some level of knowledge about the different agents that are handling the HTTP messages (web server, proxy, firewall) and therefore will be included only in the Gray Box testing section.
+==How to Test==
-== Black Box testing and Examples ==
+=== Black Box testing ===
-===HTTP Splitting===
+====HTTP Splitting====
 Some web applications use part of the user input to generate the values of some headers of their responses. The most straightforward example is provided by redirections in which the target URL depends on some user-submitted value. Let's say for instance that the user is asked to choose whether he/she prefers a standard or advanced web interface. The choice will be passed as a parameter that will be used in the response header to trigger the redirection to the corresponding page.
@@ Line 80: / Line 79: @@
-== Gray Box testing and example ==
+=== Gray Box testing ===
-===HTTP Splitting===
+====HTTP Splitting====
 A successful exploitation of HTTP Splitting is greatly helped by knowing some details of the web application and of the attack target. For instance, different targets can use different methods to decide when the first HTTP message ends and when the second starts. Some will use the message boundaries, as in the previous example. Other targets will assume that different messages will be carried by different packets. Others will allocate for each message a number of chunks of predetermined length: in this case, the second message will have to start exactly at the beginning of a chunk and this will require the tester to use padding between the two messages. This might cause some trouble when the vulnerable parameter is to be sent in the URL, as a very long URL is likely to be truncated or filtered. A gray box scenario can help the attacker to find a workaround: several application servers, for instance, will allow the request to be sent using POST instead of GET.
-===HTTP Smuggling===
+====HTTP Smuggling====
 As mentioned in the introduction, HTTP Smuggling leverages the different ways that a particularly crafted HTTP message can be parsed and interpreted by different agents (browsers, web caches, application firewalls). This relatively new kind of attack was first discovered by Chaim Linhart, Amit Klein, Ronen Heled and Steve Orrin in 2005. There are several possible applications and we will analyze one of the most spectacular: the bypass of an application firewall. Refer to the original whitepaper (linked at the bottom of this page) for more detailed information and other scenarios.

@@ Line 98: / Line 98: @@
 * Amit Klein: "HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)" - http://www.securityfocus.com/archive/1/411418
 * Amit Klein: “HTTP Response Smuggling” - http://www.securityfocus.com/archive/1/425593<br>
+* Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" - http://www.cgisecurity.com/lib/http-request-smuggling.pdf

← Older revision		Revision as of 14:53, 9 October 2012
Line 1:		Line 1:
−	{{Template:OWASP Testing Guide v3}}	+	{{Template:OWASP Testing Guide v4}}

	== Brief Summary ==		== Brief Summary ==

@@ Line 93: / Line 93: @@
 == References ==
 '''Whitepapers'''
-* Amit Klein, "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" - http://www.watchfire.com/news/whitepapers.aspx
+* Amit Klein, "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" - http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
 * Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" - http://www.watchfire.com/news/whitepapers.aspx
 * Amit Klein: "HTTP Message Splitting, Smuggling and Other Animals" - http://www.owasp.org/images/1/1a/OWASPAppSecEU2006_HTTPMessageSplittingSmugglingEtc.ppt
@@ Line 102: / Line 102: @@
 [[Category:FIXME|broken links
 * Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" - http://www.watchfire.com/news/whitepapers.aspx

← Older revision		Revision as of 22:31, 9 February 2009
Line 98:		Line 98:
	* Amit Klein: "HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)" - http://www.securityfocus.com/archive/1/411418		* Amit Klein: "HTTP Request Smuggling - ERRATA (the IIS 48K buffer phenomenon)" - http://www.securityfocus.com/archive/1/411418
	* Amit Klein: “HTTP Response Smuggling” - http://www.securityfocus.com/archive/1/425593<br>		* Amit Klein: “HTTP Response Smuggling” - http://www.securityfocus.com/archive/1/425593<br>
		+
		+
		+	[[Category:FIXME\|broken links
		+
		+	* Amit Klein, "Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" - http://www.watchfire.com/news/whitepapers.aspx
		+	* Chaim Linhart, Amit Klein, Ronen Heled, Steve Orrin: "HTTP Request Smuggling" - http://www.watchfire.com/news/whitepapers.aspx
		+
		+
		+
		+
		+	]]

← Older revision	Revision as of 12:05, 8 August 2014
(No difference)

← Older revision	Revision as of 14:39, 31 July 2014
(No difference)

@@ Line 50: / Line 50: @@
 # Some targets (e.g., ASP) will URL-encode the path part of the Location header (e.g., www.victim.com/redirect.asp), making a CRLF sequence useless. However, they fail to encode the query section (e.g., ?interface=advanced), meaning that a leading question mark is enough to bypass this filtering
-For a more detailed discussion about this attack and other information about possible scenarios and applications, check the corresponding papers referenced at the bottom of this section.
+For a more detailed discussion about this attack and other information about possible scenarios and applications, check the papers referenced at the bottom of this section.
 == Gray Box testing and example ==

← Older revision	Revision as of 22:39, 15 December 2008
(No difference)