Actually it is also known as HTTP response splitting. Basically it is due to the failure of sanitizing the carriage return (CR or hex representation: %0d or “\r”) and line feed (LF or hex representation: %0a or “\n”) during a 302 redirect, in the Location or Set-Cookie header.
It can used to perform:
1. cross-site scripting attacks
2. cross-user defacement
3. web cache poisoning
For detailed information: http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
The tutorial assumes you have installed the following software (good to go):
1. OWASP Webgoat v5.2: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
2. OWASP WebScarab (proxy server): http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
For this exercise, Webgoat has split the lesson into 2 stages: HTTP Splitting & Cache Poisoning. For the Cache Poisoning, it is almost same as HTTP Splitting. The only difference is included “Last Modified” in the header. (e.g. Last Modified: Mon, 27 Oct 2012 14:50:18 GMT). No worries just follow thru the steps first.
Start your Webgoat -> Click on HTTP Splitting -> Key the value as “en” for Search by Country field -> Click on Search! button
(Note: Ensure that you have checked your Webgoat to Intercept requests before you click on the Search! button)
Webscarab will intercept your request as shown below.
Check on Intercept responses -> Click on Accept changes
Webscarab will intercept your response as shown below.
Change the highlight text (en) to below value -> Click on Accept changes
foobar%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aContent-Length:%2047%0a%0a<html>Hacked J</html>
Above value can be decoded to below:
foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 47
Hacked J
(Note: The above value is for unix system as unix recognizes LF only. For windows system, please replace all “%0a” to “%0d%0a”. It is equivalent to CRLR.)
Before changing the response:
After changing the response:
Click on Accept changes
Click on Accept changes
You will be able to see a page contains “Hacked J” as shown below:
To go back to Webgoat page, key in the below URL:
http://192.168.38.134:8088/WebGoat/attack
(Note: replace the IP address/port to your IP address/port – default is 127.0.0.1 and port is 80 or 8080)
Key the value as “en” for Search by Country field -> Click on Search! button
(Note: Ensure that you have checked your Webgoat to Intercept requests before you click on the Search! button)
Webscarab will intercept your request as shown below.
Check on Intercept responses -> Click on Accept changes
Webscarab will intercept your response as shown below.
Change the highlight text (en) to below value -> Click on Accept changes
foobar%0aContent-Length:%200%0a%0aHTTP/1.1%20200%20OK%0aContent-Type:%20text/html%0aLast-Modified:%20Mon,%2027%20Oct%202012%2014:50:18%20GMT%0aContent-Length:%2047%0a%0a<html>Hacked J</html>
Above value can be decoded to below:
foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Last Modified: Mon, 27 Oct 2012 14:50:18 GMT
Content-Length: 47
Hacked J
(Note: The above value is for unix system as unix recognizes LF only. For windows system, please replace all “%0a” to “%0d%0a”. It is equivalent to CRLR.)
Before changing the response:
After changing the response:
The rest of the screens are similar as HTTP Splitting. Just keep Click on Accept changes. Until you see the below screen:
Now you have completed the HTTP Splitting lesson:
No comments:
Post a Comment