Arian J. Evans wrote:
> <inline>
> On 4/20/07, *Amit Klein* <aksecurity_at_gmail.com
> <mailto:aksecurity_at_gmail.com>> wrote:
>
> Arian J. Evans wrote:
> > Q: "How?"
> > Scanner Jockey: ...
> > <Blink>
> >
>
> Okay, I think I understand what scanner folks mean. The thing is, HTTP
> Response Splitting can be viewed as a special case of a wider attack -
> HTTP Response Header injection. Through the latter attack, you can
>
>
> No, I mean, people think they are injecting a header into *the* response.
>
They do!
Consider a situation like this: you have an injection point in the
Location response header of a 302 response. You inject:
foo%0d%0aSet-Cookie:%20bar=baz
The net result is a 302 response e.g.:
HTTP/1.1 302 Redirect
Location: foo
Set-Cookie: bar=baz
Content-Lenght: 0
So cookie setting it is, through HTTP response header injection.
Naturally the scanners recognize this as (also) HTTP Response Splitting
(you could inject a whole new response in there). Hence the confusion.
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional XSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHA
--------------------------------------------------------------------------
Received on Apr 20 2007
Intro
