Friday, July 29, 2011

WebGoat - HTTP Response Splitting

Didn't filter "\r (%0A; LF)" and "\n (%0D; CR)" from user input which will be used in HTTP Header.

Vulnerable HTTP Code:
3xx (Redirection)

Vulnerable HTTP Header:
"Set-Cookie" and "Location".

Based on RFC_2616, each HTTP Header need to be followed by CRLF. In other words, CRLF can be used to create new HTTP Header. If attacker can inject CRLF into HTTP Header from user input, then this will give attacker a chance to do more attacks (such as Cache Poisoning, Web Page Defacement, etc)
There is a pretty good explanation on the Internet [1] and a whitepaper [2]. [List in Reference]

Example in WebGoat 5.3 (Web Page Defacement):

The expected parameter is "en". and the constructed parameter as follow:
en                                                                // add CRLF after "en"
Content-length: 0

HTTP/1.1 200 OK                                       // here is the new response created by attacker
Content-Type: text/html
Content-length: 33

<html>Hacked by F4l13n5n0w</html>     // page defacement content
The yellow part is used to terminal 302 request (create an empty request); the red part is malicious HTTP response created by attacker.

use URL-encoding and replace %0A to %0D%0A, the result as follow:

the encoder website:

This vulnerability has been fixed by Tomcat Team in Tomcat 6.0.18 Revision 673834 against CVE-2008-1232.

That's why we can't play it in OWASPBWA server...


No comments:

Post a Comment