Web Design & Development Guide

HTTP response splitting

Home | Up

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, Web cache poisoning, and similar exploits.

The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses (hence the name).

Example

Code at risk

In its simplest form consider a PHP redirect on page redir.php:

<?
 header("Location: http://example.tld/goto.php?id=" . $_GET['id']  );
?>

This adds a Location header to the HTTP response. $_GET['id'] is replaced with the "id" field from the query string, so a request like:

http://any.server.net/redir.php?id=send_me_here

will include "send_me_here" in the response:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=send_me_here
Timeout: something
Content-Type: text/html

The attack

An attacker may want to change the cookie a target is given for a website, possibly as part of a session fixation attack. This can be done by including the following header:

Set-Cookie: some=value

The attacker can send their target to the following URL:

http://example.tld/redir.php?id=%0d%0aSet-Cookie%3A+some%3Dvalue

The id field, "%0d%0aSet-Cookie%3A+some%3Dvalue", will be decoded to produce CRLF "Set-Cookie: some=value". This string is then appended to the Location header:

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=
Set-Cookie: some=value
Timeout: something
Content-Type: text/html

Prevention

The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.

The example's code could be protected from this attack by sanitizing $_GET['id']. Typical examples of sanitization include casting to integer, or aggressive regular expression replacement. It is worth noting that although this is not a PHP specific problem, the PHP interpreter contains protection against this attack since version 4.4.2 and 5.1.2 [1].

[1] http://php.net/changelog

External links

• Known HTTP response splitting vulnerabilities since 2004 by Armorize Technologies

Home | Up | Browser exploit | Cross-site cooking | Cross-site request forgery | Cross-site scripting | Cross-zone scripting | Directory traversal | Evil twin (wireless networks) | HTTP response splitting | IDN homograph attack | Referer spoofing | Session fixation | Session poisoning | Website spoofing

Web Design & Development Guide, made by MultiMedia | Websites for sale

This guide is licensed under the GNU Free Documentation License. It uses material from the Wikipedia.