Print

HTTP Header Injection

HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on user input.  Generally, there are three types of common attacks: HTTP Response Splitting, HTTP Response Smuggling, and HTTP Request Smuggling.

HTTP Response Splitting

  • Attack Path
    • HTS attacks take place where the server script embeds user data in the redirection URL of the Location header (HTTP status code 3xx) or the Set-cookie header when the response sets a cookie. In both cases, the embedded data is not validated.
    • In the attack, a single HTTP request is sent to force the web server to form an output stream, which is then interpreted by the browser as two HTTP responses instead of one response.
  • Attack Vector: The attackers inject the malicious HTTP headers by using a carriage return (CR, ASCII 0x0D, %0A) and a line feed (LF, ASCII 0x0A, %0D) followed by the attack content. Per the HTTP standard (RFC 2616), headers are separated by one CRLF strong and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses.
  • The default character-set in HTML5 is UTF-8.
  • Risks (WASC)
    • Cross-site Scripting (XSS)
    • Web cache poisoning (defacement)
    • Cross user attacks (single user, single page, temporary defacement)
    • Hijacking pages with user-specific information
    • Browser cache poisoning
  • Example: The cookies.aspx requests a local computer to create a cookie named mycookie with a value provided by a querystring called cookie.
    Dim MyCookie As New
    HttpCookie("mycookie",Request.Querystring("cookie"))
    Response.AppendCookie(mycookie)
    Without proper input sanitizing, the following url string will cause the server program to create two cookies: mycookie (good cookie) and  hackercookie (bad cookie):
    http://site/cookies.aspx?cookie=123%0D%0ASet-Cookie%3A%20hackercookie=hacked
    The Set-Cookie header is used in HTTP response to request browser to save a cookie.  %0D%0A is a newline character on a HTTP response encoded by URL encoding, which is usually represented as "\r\n" (CRLF ) in code.  In other words, the evil hacker is trying to use the newline character as a line separator to add Set-Cookie header immediately after the original cookie.  As a result, a malicious hackedcCookie is added with a value of "hacked".
    Normally the HTTP response headers segment looks like this:
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.1
    Date: Thu, 5 Mar 2009 14:11:50 GMT
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Set-Cookie: mycookie=123
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    With the injected Set-Cookie header, the HTTP response headers segment looks like this.
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.1
    Date: Thu, 5 Mar 2009 14:11:50 GMT
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Set-Cookie: mycookie=123
    Set-Cookie: hackercookie=hacked
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
  • Example: HTTP header can be injected to force the users to download a backdoor.
    http://thesite.com/something.aspx?id=9999%0d%0a
    Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.hacker.com/hacker.exe>
    Please update first </a>%0d%0a</html>%0d%0aHTTP/1.1

ASP.net Related

  • ASP.NET 2.0 has made this attack almost impossible because by default, "\r\n" is disallowed in methods that involve HTTP response headers.  If enableHeaderChecking is set to false in web.config, then the Set-Cookie will not work.  Not many valid user scenarios require applications to turn off enableHeaderChecking
  • Here is the response header with "enableHeaderChecking" turned on.  Note that %0D%0A is interpreted literally. Thus, the value for mycookie becomes 123%0D%0ASet-Cookie: hackedcookie=hacked.
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.1
    Date: Thu, 20 Sep 2007 20:11:50 GMT
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Set-Cookie: mycookie=123%0D%0ASet-Cookie:HackedCookie=Hacked
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
  • web.config
    <configuration>
    <system.web>
    <httpRuntime enableHeaderChecking="false" />
    </system.web>
    </configuration>
  • Note: IIS always rejects new lines in response headers, even if ASP.NET enableHeaderChecking is set to false. (see this explanation.)

Defense Measures

  • Data validation: remove characters such as line feed (\r, or LF, and other variants) and new line (\n, CR, and other variants).
  • Web server protection: implement header splitting defense mechanisms with the server.

Resources