What is Response splitting?
Response Splitting is quite a bit harder to understand than Cross Site Scripting, Cross Site Request Forgery or SQL Injection. It relies on the fact that:
- The HTTP protocol on which the Web is based is a request response protocol, that is every request must have a matching response.
- The elements of a response are separated by CR-LF characters
In what follows I use CRLF to denote these responses but in reality these are sent as URL Encoded values, %0d%0a
The twist to this is that the response can come before the request. This sounds insane and hopefully will, if possible, be rectified in a future version of the protocol. I do not know enough to say why the protocol does not simply require dropping of a response with no prior request
Wikipedia puts this more formally:
The attack consists of making the server print a carriage return (CR,ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.
Outline of an attack
The attacker sends the following
- A valid request
- A valid but empty response
- A second valid response that may (will) contain malicious code
- a second request, shortly after the first
1 and 2 pair up as the protocol demands
3 is left dangling till the second request (4)
After the second request (4) is sent the malicious response is sent
If the computer were human it would be thinking
Ah a request. And a reponse God
A second response but no request, hang on to it
Ah, a second request, send the second reponse, and cache it for all repetitions of this request.
Why is it Dangerous
At first site this looks insane, the attacker is sending malicious code to themselves. The attack gets really dangerous if the requests and responses are sent to a (proxy) server that caches responses. If the second request (4) is a common one everyone who sends this request is sent the poisonous response. Reference (1) gives a detailed working through an attack and how this attack can be used for Cross site scripting and Cross Site Request Forgery
The following sequence is adapted from (1)
2. Content- Length: 0 CRLF
HTTP/1.1 200 OKCRLF
3. Content-Type: text/htmlCRLF
Content- Length: 35CRLF
alert('Running JS on your machine')
4. Any valid request e.g
GET /branches.html HTTP/1.1
The defence is simple
Use server side validation and disallow CRLF characters in all requests where user input is reflected in the response header.
The attacker may try to evade this with a double encoding attack that disguises the CRLF characters. If the defender scans for Encoded CRLF characters before decoding, they will be missed.
This attack relies on the properties of the HTTP protocol to stage an attack. It requires the requests and responses to be sent to a server that caches responses.
- http://resources.infosecinstitute.com/http-response-splitting-attack/ Step By Step explanation
- http://en.wikipedia.org/wiki/HTTP_response_splitting Wikipedia On response Splitting