Jump to content

HTTP response splitting

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Daniel Roethlisberger (talk | contribs) at 10:51, 6 March 2007 (Prevention: add generic solution). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, Web cache poisoning, and similar exploits.

The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses (hence the name).

Example

Code at risk

In its simplest form consider a PHP redirect on page redir.php: 

<?
 header("Location: http://example.tld/goto.php?id=" . $_GET['id']  ); 
?>

This adds a Location header to the HTTP response. $_GET['id'] is replaced with the "id" field from the query string, so a request like: 

http://any.server.net/redir.php?id=send_me_here

will include "send_me_here" in the response: 

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=send_me_here
Timeout: something
Content-Type: text/html

The attack

An attacker may want to change the cookie a target is given for a website, possibly as part of a session fixation attack. This can be done by including the following header: 

Set-Cookie: some=value

The attacker can send their target to the following URL: 

http://example.tld/redir.php?id=%0d%0aSet-Cookie%3A+some%3Dvalue

The id field, "%0d%0aSet-Cookie%3A+some%3Dvalue", will be decoded to produce CRLF "Set-Cookie: some=value". This string is then appended to the Location header: 

HTTP/1.1 302
Date: something
Location: http://example.tld/goto.php?id=
Set-Cookie: some=value
Timeout: something
Content-Type: text/html

Prevention

The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.

The original code could be protected from this attack by protecting $_GET['id'] inside a nl2br() or preg_replace() function. Although this is not a PHP specific problem, the interpreter contains protection against this attack since version 4.4.2 and 5.1.2.

Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_response_splitting&oldid=113037029"