DefenseCode

HTTP Response Splitting

Risk type:MEDIUM

Description:

HTTP response splitting is a web application vulnerability which allows the attacker to use carriage-return (CR, ASCII 0x0D) line-feed (LF, ASCII 0x0A) sequence to craft one HTTP request which is interpreted as two HTTP responses (instead of one) on the target’s machine, potentially allowing different types of other attacks (cross-site scripting, cross-user attacks, web cache poisoning...).

Example:

Let’s assume that a vulnerable web page "page.php" can be shown in English and Spanish language. Initial request...

http://www.victim.com/page.php

…will be redirected to:

http://www.victim.com/page.php?lang=en

HTTP redirect 302 response header in this case will be:

HTTP/1.1 302 Found
Location: http://www.victim.com/page.php?lang=en
...

If the user selects Spanish from the list of available languages he will be redirected to:

http://www.victim.com/page.php?lang=es

HTTP redirect 302 response header in this case will look like this (only the value of lang parameter will be changed):

HTTP/1.1 302 Found
Location: http://www.victim.com/page.php?lang=es
...

If the web server is behind cache proxy, the attacker can craft a request which contains two responses, separated by %0d%0a (CR, LF):

http://www.victim.com/page.php?lang=es%0d%0aContent-Length:%200%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2018%0d%0aYou’ve been hacked

The web server will now send two responses: 1st, the regular one (colored blue), and 2nd, forged by the attacker (colored red):

HTTP/1.1 302 Found
Location: http://www.victim.com/page.php?lang=es
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 18
You’ve been hacked

The 2nd response (red) is now hanging because there is no request for it. The attacker immediately sends a request for some other web page on the server ("page2.php"):

http://www.victim.com/page2.php

Forged (red) response will now be mapped to this request, which will be saved in cache proxy server (cache poisoning), so every other user that sends a request for "page2.php" page will get "You’ve been hacked" page.

Similar methods could be used for other types of attacks (cross-site scripting, cross-user attacks, web cache poisoning...).

Mitigation:

  • Use server side validation.
  • Remove CRs and LFs (and all other hazardous characters) before embedding data into any HTTP response header, particularly when setting cookies and redirecting.
  • Regular application update.
  • Use a whitelist of acceptable inputs that strictly conform to specifications.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, etc..

Further reading:

https://www.owasp.org/index.php/HTTP_Response_Splitting
http://securityjuggernaut.blogspot.com/2012/01/practical-http-response-splitting.html