Today, Sanctum released a new whitepaper, titled "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics". The full paper can be found in the following link: http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf
The paper's abstract is copied below:
"HTTP Response Splitting" is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application's failure to reject illegal user input, in this case, input containing malicious or unexpected characters.
Cross user defacement enables the attacker to forge a page that is sent to the victim. It can be looked at as a very localized and temporary kind of defacement, which affects one user at a time. Web cache poisoning elevates that defacement into a permanent effect on a more global scope by forging a cached page in a cache server shared among a multitude of site users. Hijacking pages with sensitive user information lets the attacker gain access to user specific information provided by the server such as health records or financial data. Cross-site scripting enables the attacker to steal other client's credentials that are then used in conjunction with the vulnerable site. HTTP response splitting, and the derived attacks, are relevant to most web environments including Microsoft ASP, ASP.NET, IBM WebSphere, BEA WebLogic, Jakarta Tomcat, Macromedia ColdFusion/MX, Sun Microsystems SunONE; popular cache servers such as NetCache, Squid and Apache; and popular browsers such as Microsoft IE 6.0
The HTTP response splitting vulnerability is the result of the application's failure to reject illegal user input. Specifically, input containing malicious or unexpected CR and LF characters.
This paper will describe the concept of the attack and provide some use cases. We will include a description of the basic technique and practical considerations of various aspects of the attack and some theoretic results in one case. Finally, we comment on evidence of the vulnerability in the wild, some research byproducts, recommendations, conclusions, related work and references. The full list of products we experimented with is provided in the appendix.
Thanks, -Amit
Amit Klein Director of security and research, Sanctum W: +972-9-9586077 x225, F: +972-9-9576337 1 Sapir St., Ampa Bldg., Herzlia 46733 Israel amit.klein@sanctuminc.com
