Interesting article on HTTP response splitting

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
New php-forum User
New php-forum User
Posts: 36
Joined: Sat Nov 29, 2003 6:57 am

Sun May 08, 2005 1:31 am

Interesting article on HTTP response splitting. Basically, most web applications that put user-supplied data into HTTP headers are vulnerable.

This is a fairly new web application vulnerability. It can be used for the following purposes.

Cross site scripting (XSS): This is a very common and old form of vulnerability where it allows the user execution of html or java script code which can then lead to the hijacking of the user's cookie or session. They even allow javascript code execution and maybe used to exploit other vulnerabities in browsers with more anonymity.

Cross user defacement: This is a form of temporary defacement where the website, may looked defaced to a particular user. This is used in cases of information, id, or password theft. This enables an attacker to make the website look defaced to a particular single user, thus allowing the attacker to steal session data, cookies. It also allows the attacker to steal login information by forging a fake login screen for the website, thus allowing account compromise.

Web cache poisoning: In this form a rather larger defacement takes place where a cache is poisoned which is used by multiple users, thus making them think the site has been defaced, or that the site they are seeing is the genuine site when its not. In this case the attacker uses a proxy server etc and calls the vulnerable page using it to fool the cache into cacheing the second server response over which the attacker as complete control thus making the website defaced for anyone who uses or shares that cache server or proxy server. Uses for such an attack would vary vastly, some being: Defacement as it causes everyone who uses that cache or proxy to see the website as defaced. The second being phising, in which by showing a false page loaded by the attacker we can cause many users to give up private credit card numbers, user names, passwords and other confidential information.

Hijacking pages: This allows user access to sensitive information, which might be confidential or not normally accessible to the user. With this the attacker can recieve the servers response to the client allowing sensitive data from the server to the client to be stolen by the attacker.

Browser cache poisoning: This is simmilar to XSS, the only difference being that the attacker forces the browser to cache the web page thus forming a long lasting defacement till the browser's cache has been cleared or cleaned.

Post Reply