HTTP Response Splitting or CRLF injection is an attack technique which enables various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and our favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case, input containing malicious or unexpected characters. The talk will cover the concept of the attack and will take you through some use cases.

1. By Sharath Unni
@haxorhead

2.  Involved parties
 Root problem
 Example
 Web cache poisoning
 XSS
 Other derived attacks
 Recommendations

3.  There are always 3 parties (atleast) involved
 Web server: hosts the application, with the
vulnerability. (Tomcat, Apache, IIS etc.)
 Target: An entity that interacts with the web
server on behalf of the client. Eg: squid proxy
 Attacker: initiates the attack

4.  Failure to reject illegal user input
 Specifically input containing CR and LF
characters
 Carriage Return and Line Feed - %0d%0a
(rn)
 The data (user input) is included in an HTTP
response header without any validation.
 HTTP connection sharing
 Caching – less control over the site content,
improve performance, speed etc.

5.  Normal request:
http://www.the.site/new_page.asp?lang=german
 Normal response:
HTTP/1.0 302 Redirect
Location:
http://www.the.site/new_page.asp?lang=german
Connection: Keep-Alive
Content-Length: 0

6.  Request (attacker):
http://www.the.site/welcome.asp?lang=Foo%0d%0aConnection:%20Keep-
Alive%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-
Type:%20text/html%0a%0aContent-
Length:%2020%0d%0a%0d%0a<html>Pwned!</html>
 Response:
HTTP/1.0 302 Redirect
Location: http://www.the.site/new_page.asp?lang=Foo
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 20
<html>Pwned!</html>Connection: Keep-Alive
Content-Length: 0

7.  Attack overview:
 Attacker sends 2 requests:
 1. HTTP response splitter (with %0d%0a)
 2. An innocent request
 Proxy will match 1st request -> 1st reponse
 2nd request (innocent) -> 2nd response in
cache (Pwned!)

9. 9
1st attacker request
(response splitter) 1st attacker request
302
302
200
(Pwned!)
(response splitter)
2nd attacker request
(innocent /index.html)
2nd attacker request
(innocent /index.html)
200
(Pwned!) 200
(Welcome)

10.  XSS: The second response is controlled by the
attacker and JavaScript or HTML code can be
inserted.

11.  Evade CSP – Content Security Policy – instructs
the client browser from which location and/or
which type of resources are allowed to be loaded
 Certain browsers will interpret the first
occurrence of HTTP header
 HTTP Response header
Content-Security-Policy:
X-Content-Security-Policy
Lang=en_US%0d%0aX-Content-Security-Policy: allow *

14.  For developers:
◦ Validate user input and remove CRLF characters
(particularly when setting cookie and redirecting)
 For proxy vendors:
◦ Avoid sharing server TCP connections among
different virtual hosts.
◦ Maintain request host header correctly from the URL
and not from the Host header.

15. Thank you
@haxorhead