<<< Date Index >>>     <<< Thread Index >>>

A new white paper by Sanctum: "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics"



Hi

Today, Sanctum released a new whitepaper, titled "Divide and Conquer
- HTTP Response Splitting, Web Cache Poisoning Attacks, and Related
Topics". The full paper can be found in the following link:
http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf

The paper's abstract is copied below:

"HTTP Response Splitting" is a new application attack technique which
enables various new attacks such as web cache poisoning, cross user
defacement, hijacking pages with sensitive user information and an
old favorite, cross-site scripting (XSS). This attack technique, and
the derived attacks from it, are relevant to most web environments
and is the result of the application's failure to reject illegal user
input, in this case, input containing malicious or unexpected
characters.

Cross user defacement enables the attacker to forge a page that is
sent to the victim. It can be looked at as a very localized and
temporary kind of defacement, which affects one user at a time. Web
cache poisoning elevates that defacement into a permanent effect on a
more global scope by forging a cached page in a cache server shared
among a multitude of site users. Hijacking pages with sensitive user
information lets the attacker gain access to user specific
information provided by the server such as health records or
financial data. Cross-site scripting enables the attacker to steal
other client's credentials that are then used in conjunction with the
vulnerable site. HTTP response splitting, and the derived attacks,
are relevant to most web environments including Microsoft ASP,
ASP.NET, IBM WebSphere, BEA WebLogic, Jakarta Tomcat, Macromedia
ColdFusion/MX, Sun Microsystems SunONE; popular cache servers such as
NetCache, Squid and Apache; and popular browsers such as Microsoft
IE 6.0

The HTTP response splitting vulnerability is the result of the
application's failure to reject illegal user input. Specifically,
input containing malicious or unexpected CR and LF characters.

This paper will describe the concept of the attack and provide some
use cases. We will include a description of the basic technique and
practical considerations of various aspects of the attack and some
theoretic results in one case. Finally, we comment on evidence of the
vulnerability in the wild, some research byproducts, recommendations,
conclusions, related work and references. The full list of products
we experimented with is provided in the appendix.

Thanks,
-Amit

Amit Klein
Director of security and research, Sanctum
W: +972-9-9586077 x225, F: +972-9-9576337
1 Sapir St., Ampa Bldg., Herzlia 46733 Israel
amit.klein@xxxxxxxxxxxxxx