All you need to know about HTTP Response Splitting Attack

HTTP Response splitting attack occurs when the server script embeds user data in HTTP response headers. In this attack, a maliciously crafted Http request is used to force a vulnerable server. As a result, an output stream is formed and interpreted by the target as two response instead of one.

Here the most noticeable fact is, the second response is totally controlled by the attacker till the last byte which fact some data and notably the less important first one is may be partially controlled by the attacker.

Hence the below three factors are always involved.

  1. Target – Simply an entity, can say a medium that interacts with a webserver on behalf of attacker.
  2. Web server - Where a security hole is enabled for this attack.
  3. Attacker- The most important factor to initiate an attack.

How does it happen?

Now here comes the concept of CRLF, namely a carriage return and a linefeed – a combination of special characters. 

CR = %0d = \r
LF = %0a = \n

Here the attacker tricks the server by inserting carriage return, linefeed both of the characters, and the web application or the user get in a think of that an object is terminated and another one has started.

Let’s have an example here to make it easier

Consider that a request would redirect to 
http://www.Roseprivatebank.com/offer.jsp?page=http://www.Roseprivatebank/detailschecking

Under the hood the request is like 
GET /exsistingoffer.jsp?page=http://www. Roseprivatebank.com/detailschecking 
HTTP/1.1\r\n 
Host: www. Roseprivatebank.com \r\n 
… \r\n

Here the server will responds with an HTTP 302(Redirect)
HTTP/1.1 302 Found \r\n
 … …
Location: http://www.Roseprivatebank.com/freechecking \r\n ......\r\n

Then the browser fetches the new page
GET/HTTP/1.1\r\n
Host: http://www.Roseprivatebank.com/detailschecking \r\n
.....
\r\n

The server responds with HTTP 200 (found) and the page
HTTP/1.1 200 OK \r\n
 ……
 \r\n

Notwithstanding the user can input something that terminates response and initiates attack
/exsistingoffer.jsp?page=foobar%0d%0aContentLength:%200%0d%0d%0a%0aHTTP/1.1%20200%20OK%0d %0aContent-Type:%20text/html%0d%0a ContentLength:%2019%0d%0a%0d%0a<html>Attack</html>

Note: Two \r\n sequences between the headers and the body.

And the result is an output stream with two response
HTTP/1.1 302 Moved Temporarily    1st response
Location: http://www.Roseprivatebank.com/exsistingoffer.jsp?page=foobar 
Content Length: 0 
HTTP/1.1 200 OK 
Content-Type: text/html                          Second Http response (inserted)
Content-Length: 19
<Anything you want> 
Server:    
Content -Type: text/html 
Content-Length: %2018

<Html>Attack<\html>

Impact:
<Anything you want > is the most dangerous part here.
A script can take over the user’s browser or can steal cookie information.
HTTP response splitting attack can lead to 
For example 

  • Cross-site scripting
  • Web cache poisoning (defacement)
  • Hijacking pages with user-specific information
  • Browser cache poisoning 
  • Browser Hijacking

Remediation

  • First of all, parse all user input such CR LF \r\n %0d%0a or any other forms of encoding this or any malicious codes before using them in any form of HTTP headers.
  • All inputs must be validated.
  • Reduce the number of cases as much as possible to reduce the attack surface size.
  • Always update programming language to a version that does not allow CR LF to be injected.

Authored By - Imtiaz Sheikh
TCS Cyber Security Practice

Rate this article: 
Average: 3.7 (3 votes)
Article category: