Main Menu

Daily using/supporting

Get Firefox browser!
Get Thunderbird!
Get Opera browser!
Get The Gimp!
Get Inkscape!
Get LibreOffice!
Get Videolan!
Get Linux!
Get Mandriva!
Get Joomla!
Hacker Emblem

Popular Tags

Archives

Which topics would you like us to cover more?

Latest comments

Latest tweets

about 1 day ago Using REDIPS.drag to add drag and drop to your .Net webapplication #li #dib0 http://t.co/n8zY3s7d
about 7 days ago http://t.co/cknQcDbo #Kindle
about 15 days ago Freedom isn't the ability to choose what to do or say, but the ability to choose what not to do or say #freedom
about 29 days ago http://t.co/61KTQknI #Kindle
12 Apr 2012 Force the use of a networking adapter using C# #li #dib0 http://t.co/ZTJOPzOz
9 Apr 2012 http://t.co/k9yliR2t #Kindle
9 Apr 2012 Mandriva 2010.2 and USB devices in Virtualbox http://t.co/fwq9gbHB
9 Apr 2012 Execute a http request to you own site with PHP http://t.co/DIvWPrpd
Twitter
Prev Next
Home Architecture, security and coding Is it HTTP response splitting
Is it HTTP response splitting
Written by 0na   
Monday, 10 October 2011 23:12

What do you expect when you enter a URL with a typo?
Most of the time a HTTP 404 will be returned. A common error in the style of the website would be nicer, but now I'm asking too much. Still it's because of a HTTP 404. And it is true, the page really doesn't exist.

But then you encounter a website and it returns a HTTP 500. Help, what am I doing wrong. Either the web server doesn't understands me (my browser) or the application is doing something and the web server doesn't understand that. And that's why I receive this answer with this message? Well I don't know.
Let's take a better look....So the URL went wrong when I do something like this http://www.mywebsite.eu|. And this character |, vertical bar, pipe, unsafe character, meta character is the problem.

But what if I try http://www.mywebsite.eua?Now I'm getting a HTTP 404. Ok, well maybe it's an encoding issue (of course it is, what else...). And again, but now with an ecoded vertical bar %7C so it would be http://www.mywebsite.eu%7C. Aaahhh again a HTTP 500. Something somewhere is misunderstood. What if I try a LineFeed \n (%0A) http://www.mywebsite.eu%7C%0A. And now I'm redirected with a HTTP 304 to another part of the site. Apparently that's the intention. But truly what is happening here? A Carriage Return \r (%0D) will be accepted too, I think...yes it is.

Let's do a simple test. Is it possible to paste just another URL in the original URL, like this: http://www.mywebsite.eu|%0Ahttp://www.test.com. But of course it is, I receive even a HTTP 200 OK. Awesome, how cool is that! Do we have a possible HTTP response splitting here? Is it possible to make 2 responses in one request.
I don't know yet. I was so excited that I couldn't believe myself, so I called dib0 to ensure myself.

And now I need to be serious. How awesome it may be to find such a flaw, you have to think and have to be aware about the possible consequences.
Whether big or small a problem is, this kind of sloppy things you will never want to find on your website. Moreover when you found such an issue most of the time there are more..... If you're a company, it comes to professionalism. Loss of image is priceless.
 
Never, never, never trust user input. Encode and validate, the URL too!

More info on
 

Add comment


Security code
Refresh

Its name is Public Opinion. It is held in reverence. It settles everything. Some think it is the voice of God. - Mark Twain


© 2009 - 2012, Division by Zero

Template based on the empire template by joomlashack 

Valid XHTML 1.0 Strict  Valid CSS!  Creative Commons License
This work by Division by Zero is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Netherlands License.