AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

HTTP Response Splitting

The attacker can trick legitimate users to believe forged content as if it is served from the legitimate server

Severity

Critical

Fix Cost

Low

Trust Level

Medium

HTTP is a text based protocol. It contains CR/LF (newline) characters as meta characters denoting the command delimiters.

Therefore, for an attacker being able to inject forged CR/LF characters into the HTTP requests or responses means the possibility of manipulating the HTTP commands for other users.

Although recent frameworks have been taking preventions against this weakness, it’s important to be aware of this attack scenario and proactively eradicate it validation.

One such a weakness is present in the code below;

                            
public class BooksController : ApiController
{
[HttpPost]
public HttpResponseMessage Check(Credentials credentials)
{
// check credentials form a token
String token = GenerateToken(credentials) + “-” + credentials.nonce;   	 
Response.AppendHeader(“X-App-Token”, token);	 
// return
}
            
            

Sending credentials including a nonce value with CR/LF characters, such as %0d%0a, would enable to create extra HTTP response headers. Using these extra HTTP response headers, attackers can create fake content for HTTP caches, therefore, for end-users utilizing these caches.

There are other possible ways of creating weaknesses and another piece is shown below;


string baseURL = "http://www.myserver.com/?redir=";
Response.Redirect(baseURL + Request.Params["id"]);

HTTP is a text based protocol. It contains CR/LF (newline) characters as meta characters denoting the command delimiters.

Therefore, for an attacker being able to inject forged CR/LF characters into the HTTP requests or responses means the possibility of manipulating the HTTP commands for other users.

Although recent frameworks have been taking preventions against this weakness, it’s important to be aware of this attack scenario and proactively eradicate it validation.

One such a weakness is present in the code below;

            
@Controller
public class BooksController {

@RequestMapping(method = RequestMethod.POST)
public String Check(Credentials credentials, HttpServletResponse response) {
// check credentials form a token
String token = GenerateToken(credentials) + "-" + credentials.nonce;   	 
response.setHeader("X-App-Token", token);	 
// return
}
...
            
        

Sending credentials including a nonce value with CR/LF characters, such as %0d%0a, would enable to create extra HTTP response headers. Using these extra HTTP response headers, attackers can create fake content for HTTP caches, therefore, for end-users utilizing these caches.

There are other possible ways of creating weaknesses and another piece is shown below;


string baseURL = "http://www.myserver.com/?redir=";
response.sendRedirect(baseURL + request.getParameter("id"));

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!