Documente Academic
Documente Profesional
Documente Cultură
Overview
Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged.
Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information
(or more) valid (RFC-compliant) messages instead of one. The result of the applications failure to reject illegal user input (malicious/unexpected CR&LF characters may be found especially in Location and Set-Cookie headers)
<%
Normal request:
http://www.the.site/welcome.jsp?lang=Romanian
Normal Response:
Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo
Connection: Keep-Alive
Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive
Content-Length: 0
7 Software Security, FCS Iasi, 2013-2014
Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server
8 Software Security, FCS Iasi, 2013-2014
another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.):
Where the second message starts?
9 Software Security, FCS Iasi, 2013-2014
Bibliography
1)
2)
3)
OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) 4) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks and Related Topics 5) Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 6) China's Great Firewall spreads overseas
http://www.computerworld.com/s/article/9174132/China_s_Great_Fi rewall_spreads_overseas
11