This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "HTTP Response Splitting"

From OWASP
Jump to: navigation, search
 
(27 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
 +
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 
+
HTTP response splitting occurs when:
HTTP response splitting vulnerabilities occur when:
 
  
 
* Data enters a web application through an untrusted source, most frequently an HTTP request.  
 
* Data enters a web application through an untrusted source, most frequently an HTTP request.  
 
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.  
 
* The data is included in an HTTP response header sent to a web user without being validated for malicious characters.  
  
As with many software security vulnerabilities, HTTP response splitting is a means to an end, not an end in itself. At its root, the vulnerability is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.
+
HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.
 
 
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allows them to create additional responses entirely under their control.
 
 
 
== Severity ==
 
 
 
High
 
 
 
== Likelihood of exploitation ==
 
  
Medium
+
To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.
  
 +
The example below uses a Java example, but this issue has been fixed in virtually all modern Java EE application servers. If you are concerned about this risk, you should test on the platform of concern to see if the underlying platform allows for CR or LF characters to be injected into headers. We suspect that, in general, this vulnerability has been fixed in most modern application servers, regardless of what language the code has been written in.
  
 
+
==Examples==
==Examples ==
 
 
 
 
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
 
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
  
Line 43: Line 35:
 
</pre>
 
</pre>
  
However, because the value of the cookie is formed of unvalidated user input the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n...", then the HTTP response would be split into two responses of the following form:
+
However, because the value of the cookie is formed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nContent-Length:45\r\n\r\n...", then the HTTP response would be split into an imposter response followed by the original response, which is now ignored:
  
 
<pre>
 
<pre>
Line 49: Line 41:
 
...
 
...
 
Set-Cookie: author=Wiley Hacker
 
Set-Cookie: author=Wiley Hacker
 +
Content-Length: 999
 
 
HTTP/1.1 200 OK
+
<html>malicious content...</html> (to 999th character in this example)
...
+
Original content starting with character 1000, which is now ignored by the web browser...
 
</pre>
 
</pre>
  
Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability of attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: cross-user defacement, web and browser cache poisoning, cross-site scripting and page hijacking.
+
The ability of the attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: [[Cross-User Defacement]], [[Cache Poisoning]], [[Cross-site Scripting (XSS)]] and [[Page Hijacking]].
  
 +
[[Category: Attack]]
  
== Severity ==
+
__NOTOC__
 
 
 
 
 
 
 
 
== Likelihood of exploit ==
 
 
 
 
 
 
 
 
 
==External References==
 
 
 
http://www.infosecwriters.com/text_resources/pdf/HTTP_Response.pdf - HTTP Response Spliting
 
 
 
http://www.securiteam.com/securityreviews/5WP0E2KFGK.html - Introdution to HTTP Response Spliting
 
 
 
 
 
==Related Threats==
 
 
 
[[Client-side attacks]]
 
 
 
 
 
==Related Attacks==
 
 
 
*[[Cross-User Defacement]]
 
*[[Cache Poisoning]]
 
*[[Cross-Site Scripting]]
 
*[[Page Hijacking]]
 
 
 
 
 
==Related Vulnerabilities==
 
 
 
[[:Category:Input Validation Vulnerability]]
 
 
 
 
 
==Related Countermeasures==
 
 
 
[[:Category:Input Validation]]
 
 
 
 
 
==Credit==
 
 
 
{{Template:Fortify}}
 
 
 
 
 
[[Category: Protocol Manipulation]]
 
 
 
[[Category: Attack]]
 

Latest revision as of 09:10, 29 June 2016

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision: 06/29/2016

Description

HTTP response splitting occurs when:

  • Data enters a web application through an untrusted source, most frequently an HTTP request.
  • The data is included in an HTTP response header sent to a web user without being validated for malicious characters.

HTTP response splitting is a means to an end, not an end in itself. At its root, the attack is straightforward: an attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header.

To mount a successful exploit, the application must allow input that contains CR (carriage return, also given by %0d or \r) and LF (line feed, also given by %0a or \n)characters into the header AND the underlying platform must be vulnerable to the injection of such characters. These characters not only give attackers control of the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control.

The example below uses a Java example, but this issue has been fixed in virtually all modern Java EE application servers. If you are concerned about this risk, you should test on the platform of concern to see if the underlying platform allows for CR or LF characters to be injected into headers. We suspect that, in general, this vulnerability has been fixed in most modern application servers, regardless of what language the code has been written in.

Examples

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

	String author = request.getParameter(AUTHOR_PARAM);
	...
	Cookie cookie = new Cookie("author", author);
        cookie.setMaxAge(cookieExpiration);
        response.addCookie(cookie);

Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

	HTTP/1.1 200 OK
	...
	Set-Cookie: author=Jane Smith
	...

However, because the value of the cookie is formed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as "Wiley Hacker\r\nContent-Length:45\r\n\r\n...", then the HTTP response would be split into an imposter response followed by the original response, which is now ignored:

	HTTP/1.1 200 OK
	...
	Set-Cookie: author=Wiley Hacker
	Content-Length: 999
	
	<html>malicious content...</html> (to 999th character in this example)
	Original content starting with character 1000, which is now ignored by the web browser...

The ability of the attacker to construct arbitrary HTTP responses permits a variety of resulting attacks, including: Cross-User Defacement, Cache Poisoning, Cross-site Scripting (XSS) and Page Hijacking.