Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
HTTP split / CRLF attack
Posted by: rickm
Date: June 01, 2010 10:49AM

Hello

There is a application developed in asp/.net that was vulnerable to http split attacks. There was a input parameter sent in GET requests that was used as part of the location reader on the redirect. So, we just inserted a CRLF and we could create fake headers.

They mitigated the problem, but I'm unsure if it's really a good mitigation.

Now, it only prints on the location header until it reach a CR or LF character, so I'm unable to add more headers.

However, if I add two CRLF in sequence I see the next headers are sent and interpreted by the browser as HTML (body contents).

The input also filters <, >, ' and ".

Also, all data that I insert on this field always generate a redirect (302 HTTP code) to another webpage.

Inserting stuff like

foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent- Length:%2019%0d%0a%0d%0a<html>test</html>

Doesn't work, I always get again the redirected page. Probable because this supposed headers are never sent as headers because of the input filter, if I add two CRLF they turn in body contents and appear as text.

XSS could be possible, but unhappily the filters of <, >, ' and " prevent me to exploit it. I could set the utf-7 on header and send encoded contents, but again I can't manipulate the headers.

Any idea if exploitation is possible?

Options: ReplyQuote


Sorry, only registered users may post in this forum.