Http response splitting

•Descargar como PPTX, PDF•

3 recomendaciones•3,448 vistas

HTTP Response Splitting or CRLF injection is an attack technique which enables various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and our favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case, input containing malicious or unexpected characters. The talk will cover the concept of the attack and will take you through some use cases.

Tecnología

 Involved parties
 Root problem
 Example
 Web cache poisoning
 XSS
 Other derived attacks
 Recommendations

 There are always 3 parties (atleast) involved
 Web server: hosts the application, with the
vulnerability. (Tomcat, Apache, IIS etc.)
 Target: An entity that interacts with the web
server on behalf of the client. Eg: squid proxy
 Attacker: initiates the attack

 Failure to reject illegal user input
 Specifically input containing CR and LF
characters
 Carriage Return and Line Feed - %0d%0a
(rn)
 The data (user input) is included in an HTTP
response header without any validation.
 HTTP connection sharing
 Caching – less control over the site content,
improve performance, speed etc.

 Normal request:
http://www.the.site/new_page.asp?lang=german
 Normal response:
HTTP/1.0 302 Redirect
Location:
http://www.the.site/new_page.asp?lang=german
Connection: Keep-Alive
Content-Length: 0

 Request (attacker):
http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep-
Alive%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-
Type:%20text/html%0a%0aContent-
Length:%2020%0d%0a%0d%0a<html>Pwned!</html>
 Response:
HTTP/1.0 302 Redirect
Location: http://www.the.site/new_page.asp?lang=Foo
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 20
<html>Pwned!</html>Connection: Keep-Alive
Content-Length: 0

 Attack overview:
 Attacker sends 2 requests:
 1. HTTP response splitter (with %0d%0a)
 2. An innocent request
 Proxy will match 1st request -> 1st reponse
 2nd request (innocent) -> 2nd response in
cache (Pwned!)

9
1st attacker request
(response splitter) 1st attacker request
302
302
200
(Pwned!)
(response splitter)
2nd attacker request
(innocent /index.html)
2nd attacker request
(innocent /index.html)
200
(Pwned!) 200
(Welcome)

 XSS: The second response is controlled by the
attacker and JavaScript or HTML code can be
inserted.

 Evade CSP – Content Security Policy – instructs
the client browser from which location and/or
which type of resources are allowed to be loaded
 Certain browsers will interpret the first
occurrence of HTTP header
 HTTP Response header
Content-Security-Policy:
X-Content-Security-Policy
Lang=en_US%0d%0aX-Content-Security-Policy: allow *

 For developers:
◦ Validate user input and remove CRLF characters
(particularly when setting cookie and redirecting)
 For proxy vendors:
◦ Avoid sharing server TCP connections among
different virtual hosts.
◦ Maintain request host header correctly from the URL
and not from the Host header.

Más contenido relacionado

La actualidad más candente

HTTP/2 for Developers: How It Changes Developer's Life? by Svetlin Nakov (SoftUni) - http://www.nakov.com jProfessionals Conference - Sofia, 22-Nov-2015 Key new features in HTTP/2 - Multiplexing: multiple streams over a single connection - Header compression: reuse headers from previous requests - Sever push: multiple parallel responses for a single request - Prioritization and flow control: resources have priorities

HTTP/2 for Developers

Svetlin Nakov

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

Frans Rosén

File inclusion

AaftabKhan14

As some of my colleagues are solving various SSL/TLS problems for one of our customers, I have prepared the above mentioned training for them. The training is divided to three parts: - Brief Introduction to Public Key Infrastructure (PKI) - Introduction to SSL/TLS Protocols - Practical Examples and Hints The last part primarily consists of hands-on exercises with Wireshark, covering variety of successful and failed SSL/TLS handshakes. The hands-on exercises are based on easily configurable dummy SSL client and server implemented in Java (available at https://github.com/Jardo72/SSL-Sandbox).

SSL/TLS Introduction with Practical Examples Including Wireshark Captures

JaroslavChmurny

Understanding Cross-site Request Forgery

Daniel Miessler

Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.

Pentesting Modern Web Apps: A Primer

Brian Hysell

Frans Rosén Keynote at BSides Ahmedabad

Security BSides Ahmedabad

WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties. Follow Jason on Twitter: http://twitter.com/jhaddix Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

bugcrowd

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism. Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

Soroush Dalili

HTTP/2 Changes Everything

Lori MacVittie

OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf. In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts. Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application Key Takeaways: 1.) Comprehensive understanding of the OAuth 2.0 authorization framework. 2.) Threats/Attacks specific to OAuth 2.0 3.) Practical demonstration of exploit vectors 4.) Outline of architectural best practices in OAuth 2.0 Who should attend: 1.) Application architects /API developers who use OAuth to publish and/or interact with protected data. 2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.

Security for oauth 2.0 - @topavankumarj

Pavan Kumar J

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team

OWASP Delhi

Talk Venue: BSides Tampa 2020 Speakers: Mike Felch & Joff Thyer This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.

Offensive Python for Pentesting

Mike Felch

SSRF workshop

Ivan Novikov

Type of DDoS attacks with hping3 example

Himani Singh

Advanced phishing for red team assessments

JEBARAJM

SSL basics and SSL packet analysis using wireshark

Al Imran, CISA

LFI to RCE

n|u - The Open Security Community

Bug Bounty Hunter Methodology - Nullcon 2016

bugcrowd

A2 - broken authentication and session management(OWASP thailand chapter Apri...

Noppadol Songsakaew

La actualidad más candente (20)

HTTP/2 for Developers

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

File inclusion

SSL/TLS Introduction with Practical Examples Including Wireshark Captures

Understanding Cross-site Request Forgery

Pentesting Modern Web Apps: A Primer

Frans Rosén Keynote at BSides Ahmedabad

How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

HTTP/2 Changes Everything

Security for oauth 2.0 - @topavankumarj

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team

Offensive Python for Pentesting

SSRF workshop

Type of DDoS attacks with hping3 example

Advanced phishing for red team assessments

SSL basics and SSL packet analysis using wireshark

LFI to RCE

Bug Bounty Hunter Methodology - Nullcon 2016

A2 - broken authentication and session management(OWASP thailand chapter Apri...

Similar a Http response splitting

Cyber Security-Ethical Hacking

Viral Parmar

Browser Security

Roberto Suggi Liverani

Web Application Security

Chris Hillman

Owasp Top 10 - Owasp Pune Chapter - January 2008

abhijitapatil

Xssandcsrf

Prabhanshu Saraswat

logout.php Session Data after Logout Username Email " . $_SESSION['appusername'] . " " . "" . $_SESSION['appemail'] . " "; ?> ZAP Scanning Report for loginAuthReport.odt ZAP Scanning Report Summary of Alerts Risk Level Number of Alerts High 2 Medium 1 Low 5 Informational 3 Alert Detail High (Warning) Cross Site Scripting (Reflected) Description Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology. When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise. There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based. Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash. Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code. URL http://localhost/week4/authcheck.php Parameter username Attack </td><script>alert(1);</script><td> Solution Phase ...

logout.php Session Data after Logout Username Email . $_.docx

smile790243

Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization. There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons: • The complexity of implementing the codes or methods. • Non-existence of input data validation and output sanitization in all input fields of the application. • Lack of knowledge in identifying hidden XSS issues etc. This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.

Cross Site Scripting Defense Presentation

Ikhade Maro Igbape

Webbasics

patinijava

Top 10 Security Vulnerabilities (2006)

Susam Pal

Cross Site Scripting (XSS)

Barrel Software

Intro to Web Application Security

Rob Ragan

A web server, which can be referred to as the hardware, the computer, or the software, is the computer application that helps to deliver content that can be accessed through the Internet. Most people think a web server is just the hardware computer, but a web server is also the software computer application that is installed in the hardware computer. The primary function of a web server is to deliver web pages on the request to clients using the Hypertext Transfer Protocol (HTTP).

Module 11 (hacking web servers)

Wail Hassan

Cache poisoning

AlexandraLacatus

Pentesting web applications

Satish b

Appl layer

rajanikant

This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014. technology.inmobi.com/events/null-owasp-g4h-november-meetup Talk Outline:- A) Reflective-(Non-Persistent Cross-site Scripting) - What is Reflective Cross-site scripting. - Testing for Reflected Cross site scripting How to Test - Black Box testing - Bypass XSS filters - Gray Box testing Tools Defending Against Reflective Cross-site scripting. Examples of Reflective Cross-Site Scripting Attacks. B) Stored -(Persistent Cross-site Scripting) What is Stored Cross-site scripting. How to Test - Black Box testing - Gray Box testing Tools Defending Against Stored Cross-site scripting. Examples of Stored Cross-Site Scripting Attacks.

Reflective and Stored XSS- Cross Site Scripting

InMobi Technology

04. xss and encoding

Eoin Keary

Presentation (PowerPoint File)

webhostingguy

Presentation (PowerPoint File)

webhostingguy

РИТ++ 2017, HighLoad Junior Зал Сингапур, 6 июня, 11:00 Тезисы: http://junior.highload.ru/2017/abstracts/2545.html Вы поставили HTTP-акселератор перед вашим web-сервером для ускорения отдачи контента, но запросы пользователей по-прежнему отдаются с большой задержкой, а ресурсы сервера кажутся незагруженными. А, может, после того, как поставили web-акселератор, web-приложение сломалось, да еще и так, что проблема воспроизводится редко, хуже того, о ней могут знать ваши пользователи, но не вы. ...

Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...

Ontico

Similar a Http response splitting (20)

Cyber Security-Ethical Hacking

Browser Security

Web Application Security

Owasp Top 10 - Owasp Pune Chapter - January 2008

Xssandcsrf

logout.php Session Data after Logout Username Email . $_.docx

Cross Site Scripting Defense Presentation

Webbasics

Top 10 Security Vulnerabilities (2006)

Cross Site Scripting (XSS)

Intro to Web Application Security

Module 11 (hacking web servers)

Cache poisoning

Pentesting web applications

Appl layer

Reflective and Stored XSS- Cross Site Scripting

04. xss and encoding

Presentation (PowerPoint File)

Проксирование HTTP-запросов web-акселератором / Александр Крижановский (Tempe...

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Http response splitting

1. By Sharath Unni @haxorhead

2.  Involved parties  Root problem  Example  Web cache poisoning  XSS  Other derived attacks  Recommendations

3.  There are always 3 parties (atleast) involved  Web server: hosts the application, with the vulnerability. (Tomcat, Apache, IIS etc.)  Target: An entity that interacts with the web server on behalf of the client. Eg: squid proxy  Attacker: initiates the attack

4.  Failure to reject illegal user input  Specifically input containing CR and LF characters  Carriage Return and Line Feed - %0d%0a (rn)  The data (user input) is included in an HTTP response header without any validation.  HTTP connection sharing  Caching – less control over the site content, improve performance, speed etc.

5.  Normal request: http://www.the.site/new_page.asp?lang=german  Normal response: HTTP/1.0 302 Redirect Location: http://www.the.site/new_page.asp?lang=german Connection: Keep-Alive Content-Length: 0

6.  Request (attacker): http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep- Alive%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent- Type:%20text/html%0a%0aContent- Length:%2020%0d%0a%0d%0a<html>Pwned!</html>  Response: HTTP/1.0 302 Redirect Location: http://www.the.site/new_page.asp?lang=Foo Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 20 <html>Pwned!</html>Connection: Keep-Alive Content-Length: 0

7.  Attack overview:  Attacker sends 2 requests:  1. HTTP response splitter (with %0d%0a)  2. An innocent request  Proxy will match 1st request -> 1st reponse  2nd request (innocent) -> 2nd response in cache (Pwned!)

9. 9 1st attacker request (response splitter) 1st attacker request 302 302 200 (Pwned!) (response splitter) 2nd attacker request (innocent /index.html) 2nd attacker request (innocent /index.html) 200 (Pwned!) 200 (Welcome)

10.  XSS: The second response is controlled by the attacker and JavaScript or HTML code can be inserted.

11.  Evade CSP – Content Security Policy – instructs the client browser from which location and/or which type of resources are allowed to be loaded  Certain browsers will interpret the first occurrence of HTTP header  HTTP Response header Content-Security-Policy: X-Content-Security-Policy Lang=en_US%0d%0aX-Content-Security-Policy: allow *

12.

13.

14.  For developers: ◦ Validate user input and remove CRLF characters (particularly when setting cookie and redirecting)  For proxy vendors: ◦ Avoid sharing server TCP connections among different virtual hosts. ◦ Maintain request host header correctly from the URL and not from the Host header.

15. Thank you @haxorhead

Notas del editor

Source: OWASPAppsecEU2006
http://www.securityfocus.com/archive/1/411585

Http response splitting

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Http response splitting

Similar a Http response splitting (20)

Último

Último (20)

Http response splitting

Notas del editor