HTTP Response Splitting or CRLF injection is an attack technique which enables various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and our favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case,
input containing malicious or unexpected characters.
The talk will cover the concept of the attack and will take you through some use cases.
2. Involved parties
Root problem
Example
Web cache poisoning
XSS
Other derived attacks
Recommendations
3. There are always 3 parties (atleast) involved
Web server: hosts the application, with the
vulnerability. (Tomcat, Apache, IIS etc.)
Target: An entity that interacts with the web
server on behalf of the client. Eg: squid proxy
Attacker: initiates the attack
4. Failure to reject illegal user input
Specifically input containing CR and LF
characters
Carriage Return and Line Feed - %0d%0a
(rn)
The data (user input) is included in an HTTP
response header without any validation.
HTTP connection sharing
Caching – less control over the site content,
improve performance, speed etc.
5. Normal request:
http://www.the.site/new_page.asp?lang=german
Normal response:
HTTP/1.0 302 Redirect
Location:
http://www.the.site/new_page.asp?lang=german
Connection: Keep-Alive
Content-Length: 0
10. XSS: The second response is controlled by the
attacker and JavaScript or HTML code can be
inserted.
11. Evade CSP – Content Security Policy – instructs
the client browser from which location and/or
which type of resources are allowed to be loaded
Certain browsers will interpret the first
occurrence of HTTP header
HTTP Response header
Content-Security-Policy:
X-Content-Security-Policy
Lang=en_US%0d%0aX-Content-Security-Policy: allow *
12.
13.
14. For developers:
◦ Validate user input and remove CRLF characters
(particularly when setting cookie and redirecting)
For proxy vendors:
◦ Avoid sharing server TCP connections among
different virtual hosts.
◦ Maintain request host header correctly from the URL
and not from the Host header.