.

HTTP Response Splitting - How common?

<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Feb 03, 2011 10:07 am

HTTP Response Splitting - How common?

Hello EH'ers,


Today would be time for a good question, so I thought: How common is the HTTP Response Splitting vulnerability?

Compared to XSS (Persistent and Non-Persistent), XSRF/CSRF, SQL Injection, LFI + RFI, RCE, etc.

I have seen a few WebAppSec courses implement it in their material, but I haven't encountered this vulnerability on a live website yet. The attack itself is interesting, but personally it feels like an attack which died a long time ago, before RFI suddenly got patched pretty well in most Web Applications.

So how common is HTTP Response Splitting vulnerabilities? What is your opinion? I'd like to know since I haven't really hunted for these bugs either, but also because I want to know if it's worth using time on trying to find during a real pentest (where the source code is not available), compared to the other vulnerabilities which are easier to detect, confirm and exploit?


~ MaXe
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Wed Aug 24, 2011 6:01 am

Re: HTTP Response Splitting - How common?

hi maxe,

After seeing your post i started to research about this vulnerability,

and i can say proudly to you

"IT IS STILL ALIVE"

As you have said you didn't seen this on a live web-site
here we go

  Code:
http://www.exploit-db.com/exploits/11211/


it is a old one ,i am sure it has been patched now,but it is nice to see its presence.

Also go here
  Code:
http://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-15944/Apache-Http-Server-2.0.52.html


look at the 20 th one and they have mention about "HTTP Request Smuggling",it looks like similar to the attack type you had said

TBH as i am not a expert in this i would like to ask some questions on this ?

Does HTTP request smuggling and HTTP response splitting are the same one?

And reading your post and my recent interest about the http headers,methods and attacks related to that it made me curious to know in deep about the threats faced by a server when it enables methods like
HEAD,OPTIONS etc...

do you have any interesting documents to feed my toughts :) ?
if you have any please feed me,i'm hungry maxe :)

and it seems i touched a old dusty question , cough , cough :)
Last edited by manoj9372 on Wed Aug 24, 2011 6:05 am, edited 1 time in total.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Aug 24, 2011 10:51 am

Re: HTTP Response Splitting - How common?

Hi manoj,

manoj9372 wrote:and i can say proudly to you

"IT IS STILL ALIVE"
  Code:
http://www.exploit-db.com/exploits/11211/



Yes, but it has probably been the only vulnerability of its kind I've seen last year, that was worth reporting too. (I have absolutely no affiliation with this exploit.)

manoj9372 wrote:TBH as i am not a expert in this i would like to ask some questions on this ?

Does HTTP request smuggling and HTTP response splitting are the same one?



Yes they're the same, every vulnerability tracker calls things different names for some funny reason. Some sites use what I would call, "whitehat words" while others like exploit-db uses "blackhat words", where the blackhat words doesn't mean it's illegal, it just means it makes sense, and you don't have to think about the meaning, at all.  ;D Straight and simple as it should be.

manoj9372 wrote:

And reading your post and my recent interest about the http headers,methods and attacks related to that it made me curious to know in deep about the threats faced by a server when it enables methods like
HEAD,OPTIONS etc...

do you have any interesting documents to feed my toughts :) ?
if you have any please feed me,i'm hungry maxe :)

and it seems i touched a old dusty question , cough , cough :)


Most servers has: GET, POST and HEAD enabled by default. HEAD is nice to check if e.g. a directory or file exists, as it will only return the response code and thereby, limit the stress on the webserver.

OPTIONS is enabled on most Apache servers, but occasionally on IIS servers it may not be. (It seems like it depends on the version, but also the company behind.)

TRACE is randomly enabled, and of course you can note it in a pentest report as a low risk but it's worth focusing more on other issues such as SQL Injection, Persistent / Stored XSS, RFI, LFI, etc.
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software