HTTP Protocol header injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201233906
Type myhack58
Reporter 佚名
Modified 2012-05-17T00:00:00


HTTP response header file contains unverified data will lead to cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

HTTP Protocol header injection vulnerability principles

The following cases will appear in the HTTP Protocol header injection vulnerabilities: 1. Data through an untrusted data source into the Web application, the most common is the HTTP request. 2. Data included in an HTTP response header without the authentication is sent to the Web User.

One of the most common Header Manipulation attacks is HTTP Response Splitting in. In order to successfully implement Http Response Splitting stolen, the application must allow the those that contain a CR(enter by %0d or \r to specify)and LF(newlines by %0a or \n are specified by the characters input to the header file.

Attackers use these characters can not only control application to send the response to the remaining headers and body text, you can also create entirely under their control other response.

HTTP Protocol header injection vulnerability instance

<? php

$location = $_GET['some_location'];

header("location: $location");

?& gt;

Suppose in the request submitted by a standard letter and number character string, such as "index.html"then includes this cookie in the HTTP response might take the following form:

HTTP/1.1 2 0 0 OK


location: index.html


However, because the value of this position by unvalidated user input, so only when submitted to the some_location the value does not contain any CR and LF characters, the response will only maintain this form.

If an attacker submits a malicious string, such as :

"index. html\r\nHTTP/1.1 2 0 0 OK\r\n...", the

Then the HTTP response would be split into the following in the form of two responses:

HTTP/1.1 2 0 0 OK

location: index.html

HTTP/1.1 2 0 0 OK


Obviously, the second response is completely controlled by the attacker, the attacker can use the required header files and body content to build the response. The attacker can construct arbitrary HTTP responses, thereby initiating a variety of forms of attack

HTTP Protocol header injection vulnerability solution

Many of today's modern application servers can prevent the HTTP header file is infected with a malicious character.

For example, when a new row is passed to the header() function, the latest version of PHP will generate a warning and stop creating the header file. If your version of PHP prevents setting headers with new line characters, then to HTTP Response Splitting Defense capabilities.

Code-level common solution:

Strictly check whether a variable has been initialized

In set HTTP response header code, The filter carriage return line feed in%0d%0a and%0D%0A)characters

Prohibition of the header()function of the parameters of the external controllable