Chapter 12  ■ Attacking Other Users

Depending on the application, setting a particular cookie may interfere 

with the application’s logic to the disadvantage of the user (for example, 

UseHttps=false

). Also, setting an attacker-controlled session token may be

used to perform a session fixation attack (described later in this chapter).

Delivering Other Attacks

Because HTTP header injection enables an attacker to control the entire body

of a response, it can be used as a delivery mechanism for practically any attack

against other users, including virtual web site defacement, script injection,

arbitrary redirection, attacks against ActiveX controls, and so on.

HTTP Response Splitting

This is an attack technique which seeks to poison a proxy server’s cache with

malicious content, in order to compromise other users who access the applica-

tion via the proxy. For example, if all users on a corporate network access an

application via a caching proxy, the attacker can target them by injecting mali-

cious content into the proxy’s cache, which will be displayed to any users who

request the affected page.

A header injection vulnerability can be exploited to deliver a response split-

ting attack using the following steps:

1. The attacker chooses a page of the application that he wishes to poison

within the proxy cache. For example, he might replace the page at

/admin/

with a Trojan login form that submits the user’s credentials to

the attacker’s server. 

2. The attacker locates a header injection vulnerability and formulates a

request that injects an entire HTTP body into the response, plus a sec-

ond set of response headers, and a second response body. The second

response body contains the HTML source code for his Trojan login

form. The effect is that the server’s response looks exactly like two sep-

arate HTTP responses chained together. Hence the name of the attack

technique, because the attacker has effectively “split” the server’s

response into two separate responses. For example:

GET /home.php?uid=123%0d%0aContent-Length:+22%0d%0a%0d%0a%0d%

0afoo%0d%0a%0d%0aHTTP/1.1+200+OK%0d%0aContent-Length:

+2307%0d%0a%0d%0a%0d%0a%0d%0a0d%0a[...long URL...] HTTP/1.1

Host: wahh-app.com

Download 5,76 Mb.

Do'stlaringiz bilan baham: