HTTP response splitting
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.
HTTP |
---|
Request methods |
Header fields |
Status codes |
Security access control methods |
Security vulnerabilities |
The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.
Prevention
The generic solution is to URL-encode strings before inclusion into HTTP headers such as Location or Set-Cookie.
Typical examples of sanitization include casting to integers or aggressive regular expression replacement. Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2.[1]
References
- "PHP: PHP 5.1.2. Release Announcement". The PHP Group. Retrieved 2014-11-13.
External links
- Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. Amit Klein, 2004.
- Target Web Application Vulnerable to HTTP Header Injection
- HTTP Response Splitting, The Web Application Security Consortium
- Wapiti Open Source XSS, Header, SQL and LDAP injection scanner
- LWN article
- CWE-113: Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
- HTTP Response Splitting Attack - OWASP
- CRLF Injection - OWASP