Lesson
Plan Title: How to
Perform Http Splitting
Concept /
Topic To Teach:
This lesson
teaches how to perform HTTP Splitting attacks.
How the
attacks works:
The attacker
passes malicious code to the web server together with normal input. A victim
application will not be checking for CR (carriage return, also given by %0d or
\r) and LF (line feed, also given by %0a or \n)characters. These characters not
only give attackers control of the remaining headers and body of the response
the application intends to send, but also allows them to create additional
responses entirely under their control.
The effect of an HTTP Splitting attack is maximized when accompanied with a
Cache Poisoning. The goal of Cache Poisoning attack is to poison the cache of
the victim by fooling the cache to believe that the page hijacked using the
HTTP splitting is a good one and it is indeed the server's copy.
The attack happens using the HTTP Splitting attack plus adding the Last-Modified:
header and setting it to a future date. This will force the browser to send If-Modified-Since
request header, which gives the attacker the chance to intercept the server's
reply and replace it with a '304 Not Modified' reply. A sample of a 304 response
is:
HTTP/1.1 304 Not Modified
Date: Fri, 30 Dec 2005 17:32:47 GMT
General
Goal(s):
This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while
stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.
Enter a language for the system to search by. You will notice that the
application is redirecting your request to another resource on the server. You
should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your
exercise should be to force the server to send a 200 OK. If the screen changed
as an effect to your attack, just go back to the homepage and after stage 2 is
exploited successfully you will find the green check in the left menu.
Solution:
Please note that this solution is written for Windows. If you use Linux you have to alter it.
Windows uses a CR and LF for new Line. Linux uses only LF.
So all the %0d%0a have to be replaced by %0a if you are using Linux.
Because the
input is not validated you can inject any HTTP syntax, carriage returns and
line-feed you want.
Enter a
language to examine what’s going on. You do have WebScarab intercepting HTTP
requests and responses?
Figure 1 Language en
Figure 2 HTTP Request
Figure 3 First HTTP Response
Figure 4 Second HTTP Request
Now inject
for the language en%0d%0a%0d%0a%0d%0a
Figure 5 First HTTP Request
Figure 6 First HTTP Response
The
Content-Length: 0 will tell the server that the first request is over.
A 200 OK
message looks like this: HTTP/1.1 200 OK
Lets see what
you can do with: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Hacked
J</html>
Figure 7 HTTP Splitting attack
Figure 8 HTTP Response
Figure 9 Second HTTP Request
Figure 10 Second HTTP Response
Figure 11 Hacked!
Hit the “Back”
button of your browser.
Figure 12 Stage 1 completed
Now you know
how to do HTTP Splitting. You can abuse this technique to do a cache poisoning
attack.
Cache
poisoning requires manipulating the Last-Modified header. This must be changed
to a date in the future.
Inject: foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Hacked
J</html>
Figure 13 Inject cache poisoning
