December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 9-8: Preventing HTTP Response Splitting Attacks
This recipe shows how to identify when attackers attempt to use HTTP response splitting attacks.
Ingredients
- OWASP ModSecurity Core Rule Set (CRS)
- modsecurity_crs_40_generic_attacks.conf
- ModSecurity
- REQUEST_URI variable
- REQUEST_BODY variable
- REQUEST_HEADERS variable
- XML variable
- @rx operator
CAPEC-34: HTTP Response Splitting
This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents to be displayed and possibly cached.
Sample Attacks
This proof-of-concept example outlines how HTTP response splitting works. Consider the following PHP code:
<?php
header ("Location: /lang_page.php?lang=" . $_GET['language']);
?>A request looks like this:
GET /index.php?language=english HTTP/1.1And the corresponding response headers would look like this:
HTTP/1.1 302 Found
Location: /lang_page.php?lang=englishIf an attacker injected control (CR) or linefeed (LF) characters into the parameter, he might be able to reformat the response header content:
GET /index.php?language=english%0aContent-Length:%200%0a%0aHTTP/1.1% ...