HTTP Response Splitting |
Attack Pattern ID: 34 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached.
To achieve HTTP Response Splitting on a vulnerable web server, the attacker:
Attack Execution Flow
Spider:
Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links, the forms and all potential user-controllable input points for the web application.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL, forms found in the pages (like file upload, etc.).
env-Web2 Use a proxy tool to record all links visited during a manual traversal of the web application.
env-Web3 Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
env-WebIndicators
ID type Indicator Description Environments 1 Positive Inputs are transported through HTTP
env-Web2 Positive The application uses redirection techniques (HTTP Location, etc.)
env-Web3 Inconclusive Using URL rewriting, parameters may be part of the URL path.
env-Web4 Inconclusive No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.
env-Web5 Negative Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.
env-WebOutcomes
ID type Outcome Description 1 Success A list of user-controllable input entry points is created by the attacker.Security Controls
ID type Security Control Description 1 Detective Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).2 Detective Create links on some pages that are visually hidden from web browsers. Using IFRAMES, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.3 Preventative Use CAPTCHA to prevent the use of the application by an automated tool.4 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Attempt variations on input parameters:
The attacker injects the entry points identified in the Explore Phase with response splitting syntax and variations of payloads to be acted on in the additional response. He records all the responses from the server that include unmodified versions of his payload.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Use CR\LF characters (encoded or not) in the payloads in order to see if the HTTP header can be split.
env-Web2 Use a proxy tool to record the HTTP responses headers.
env-WebIndicators
ID type Indicator Description Environments 1 Positive The web server uses unvalidated user-controlled input as part of the response headers
env-WebOutcomes
ID type Outcome Description 1 Success The CR\LF characters are passed in the HTTP header and two responses are generated for a single request.2 Failure All CR\LF characters are consistently re-encoded or stripped before being written in the HTTP header3 Inconclusive The size of the payload is being limited by the server-side application.4 Inconclusive Some sensitive characters are consistently encoded, but others are not.Security Controls
ID type Security Control Description 1 Detective Monitor input to web servers (not only GET, but all in the inputs), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on CR\LF characters.2 Preventative Do not use user-controllable inputs in HTTP headers3 Preventative Filter CR/LF syntax out of any user-controllable input utilized in HTTP headers.4 Preventative Actively monitor the application and either deny or redirect requests from origins that appear to be generating HTTP Response Splitting attacks.
Cross-Site Scripting:
As the attacker succeeds in exploiting the vulnerability, he can choose to attack the user with Cross-Site Scripting. The possible outcomes of such an attack are described in the Cross-Site Scripting related attack patterns.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 SecurityDatabase\Alert\Inject cross-site scripting payload preceded by response splitting syntax (CR/LF) into user-controllable input identified as vulnerable in the Experiment Phase.
env-WebOutcomes
ID type Outcome Description 1 Success The malicious script is executed within the user's context.Security Controls
ID type Security Control Description 1 Detective Monitor server logs for consecutive suspicious HTTP request2 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax3 Preventative Appropriately encode all browser output to avoid scripting syntaxCache poisoning:
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The attacker decides to target the cache server by forging new responses. The server will then cache the second request and response. The cached response has most likely an attack vector like Cross-Site Scripting; this attack will then be serve to many clients due to the caching system.
env-WebIndicators
ID type Indicator Description Environments 1 Positive System performs caching of HTTP responses
env-WebOutcomes
ID type Outcome Description 1 Success The attacker gets the users to be served with this cached malicious HTTP response.Security Controls
ID type Security Control Description 1 Detective Monitor server logs for consecutive suspicious HTTP requests.2 Preventative Apply appropriate input validation to filter all user-controllable input of scripting syntax3 Preventative Appropriately encode all browser output to avoid scripting syntax
User-controlled input used as part of HTTP header
Ability of attacker to inject custom strings in HTTP header
Insufficient input validation in application to check for input sanity before using it as part of response header
Description
In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive.
Related Vulnerabilities
CVE-2006-0207
Skill or Knowledge Level: High
The attacker needs to have a solid understanding of the HTTP protocol and HTTP headers and must be able to craft and inject requests to elicit the split responses.
With available source code, the attacker can see whether user input is validated or not before being used as part of output. This can also be achieved with static code analysis tools
If source code is not available, the attacker can try injecting a CR-LF sequence (usually encoded as %0d%0a in the input) and use a proxy such as Paros to observe the response. If the resulting injection causes an invalid request, the web server may also indicate the protocol error.
The only indicators are multiple responses to a single request in the web logs. However, this is difficult to notice in the absence of an application filter proxy or a log analyzer. There are no indicators for the client
To avoid HTTP Response Splitting, the application must not rely on user-controllable input to form part of its output response stream. Specifically, response splitting occurs due to injection of CR-LF sequences and additional headers. All data arriving from the user and being used as part of HTTP response headers must be subjected to strict validation that performs simple character-based as well as semantic filtering to strip it of malicious character sequences and headers.
Encoded HTTP header and data separated by appropriate CR-LF sequences. The injected data must consist of legitimate and well-formed HTTP headers as well as required script to be included as HTML body.
The impact of payload activation is that two distinct HTTP responses are issued to the target, which interprets the first as response to a supposedly valid request and the second, which causes the actual attack, to be a response to a second dummy request issued by the attacker.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
113 | Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') | Targeted |
697 | Insufficient Comparison | Targeted |
707 | Improper Enforcement of Message or Data Structure | Targeted |
713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Targeted |
74 | Failure to Sanitize Data into a Different Plane ('Injection') | Secondary |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 220 | Client-Server Protocol Manipulation | Mechanism of Attack (primary)1000 | |
ChildOf | Category | 358 | WASC Threat Classification 2.0 - WASC-25 - HTTP Response Splitting | WASC Threat Classification 2.0333 |
All client-supplied input must be validated through filtering and all output must be properly escaped.
CWE - HTTP Response Splitting
CWE - Injection
Submissions | ||||
---|---|---|---|---|
Submitter | Date | Comments | ||
Chiradeep B Chhaya | 2007-01-09 | First Draft |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Malik Hamro | Cigital, Inc | 2007-02-27 | Reformat to new schema and review | ||
Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Description | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | ||
Romain Gaucher | Cigital, Inc | 2009-02-10 | Created draft content for detailed description | ||
Sean Barnum | Cigital Federal, Inc | 2009-04-13 | Reviewed and revised content for detailed description |