HTTP Response Splitting

Every time a browser requests a web page, information known as headers get sent from the page to the browser. These perform important functions like tell the browser what language should be displayed, if some action should be taken, and how the website was written. Here is a sample header from Google:

http://www.google.com/
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

During application coding, there are many times you may wish to update or set a header yourself. For instance, a common task is to set the referrer header in PHP. As a simple illustration of response splitting, imagine you had code which set a header using a parameter found in the URL (a GET parameter):

<?php
header("Location: ".$GET['redirect']);
?>

This code will set the Location header for your page. A malicious person might recognize this, and try to change what headers your page sends. If you notice the page header example from Google, each header type begins on a new line. An attacker could modify how the header is set by cleverly changing the URL:

www.mysite.com/page1.php?redirect="www.a badsite.com"

But this is not the worst that could happen. Recognizing that line breaks come in between each header, an attacker could even change the entire look of your site:

www.mysite.com/page1.php?redirect=\r\nContent-type:text/html\r\n<html>new site!</html>

This would insert a new header (content type) and some HTML, which would be placed at the top of the page, as if it was mean to be there. Although the URL pasted above is not a complete attack (more headers would be required) it illustrates how the attack works.

Header splitting is as dangerous as other attacks meant to steal data from users of a site.

Getting a user to click on these specially crafted links is not as difficult as it may appear, since an attacker may post the link to popular message boards, inside <img> html tags, and many other ways of tricking a user into clicking a link.

Therefore, Header splitting should be taken as seriously as other forms of user data theft such as cross site scripting attacks.

Like many other attacks, this is based on data passed in by the user, or which may be modified by the user in some form. Any time you set header information inside your application, make sure that the data either cannot be modified by a user, or it is well sanitized. This can be done for header information by carefully checking the input is what you expect, and for length.

As with all data checking, there is not a common solution for every possible attack, but whitelisting your data is a good place to start. Remove characters such as line feed (\r, or LF, and other variants) and new line (\n, CR, and other variants).

Finally, ensure your webserver and web scripting code are up to date. PHP 5.1.2 added header splitting defense mechanisms when using the header code described above. Keeping all aspects of your server up to date can help eliminate the most common forms of attack.

HTTP Response Splitting How To
Response Splitting Examples

Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup. See how the Golem Scan can help your business today.