HTTP response splitting
   HOME

TheInfoList



Click Here for Items Related To - HTTP response splitting
OR:
HTTP response splitting on:   [Wikipedia]   [Google]   [Amazon]

HTTP response splitting is a form of
web application A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection. History In earlier computing models like client-serv ...
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...
attacks, cross-user defacement, web cache poisoning, and similar exploits. The attack consists of making the server print a
carriage return A carriage return, sometimes known as a cartridge return and often shortened to CR, or return, is a control character or mechanism used to reset a device's position to the beginning of a line of text. It is closely associated with the line feed ...
(CR,
ASCII ASCII ( ), abbreviated from American Standard Code for Information Interchange, is a character encoding standard for electronic communication. ASCII codes represent text in computers, telecommunications equipment, and other devices. Because ...
)
line feed Newline (frequently called line ending, end of line (EOL), next line (NEL) or line break) is a control character or sequence of control characters in character encoding specifications such as ASCII, EBCDIC, Unicode, etc. This character, or a ...
(LF, ASCII ) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide We ...
standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.


Prevention

The generic solution is to URL-encode strings before inclusion into
HTTP header The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...
s such as ''Location'' or ''Set-Cookie''. Typical examples of sanitization include
casting Casting is a manufacturing process in which a liquid material is usually poured into a mold, which contains a hollow cavity of the desired shape, and then allowed to solidify. The solidified part is also known as a ''casting'', which is ejected ...
to
integer An integer is the number zero (), a positive natural number (, , , etc.) or a negative integer with a minus sign ( −1, −2, −3, etc.). The negative numbers are the additive inverses of the corresponding positive numbers. In the languag ...
s or aggressive
regular expression A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" ...
replacement. Although response splitting is not specific to
PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...
, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2.


References


External links


Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Amit Klein, 2004.

Target Web Application Vulnerable to HTTP Header Injection

HTTP Response Splitting, The Web Application Security Consortium

Wapiti Open Source XSS, Header, SQL and LDAP injection scanner

LWN article
* /cwe.mitre.org/data/definitions/113.html CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
HTTP Response Splitting Attack - OWASP

CRLF Injection - OWASP
Web security exploits Hypertext Transfer Protocol headers {{web-stub