HTTP Header Injection, Location Response Splitting, CWE-113, CRLF, 0x20, %0A%0D, XSS.CX, PoC

Navigation

Anti-Phishing Blog

XSS, LFI, Linksys E4200 Firmware, 0D
Mon, 06 May 2013 15:59:00 +0000
XSS, Javascript Injection, Brother MFC-9970CDW Printer Firmware L, 0D
Mon, 06 May 2013 15:53:00 +0000
CVE-2013-0438, Oracle Java JRE 7u5 SOP Bypass for ZIP-Based Filetypes, XSS, Cross Site Scripting
Wed, 27 Mar 2013 02:46:00 +0000
CVE-2012-1903, Stored XSS, Javascript Injection, Telligent Community 5.6.583.20496
Mon, 25 Mar 2013 16:14:00 +0000
CVE-2012-1503, Movable Type Pro 5.13en, Stored XSS, CWE-79, CAPEC-86, Full Disclosure
Wed, 17 Oct 2012 02:16:00 +0000
CVE-2012-1500, JIRA, GreenHopper, Stored XSS, CWE-79, CAPEC-19, Resolved
Mon, 03 Sep 2012 14:35:00 +0000
RESOLVED: SQL Injection, XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, pri.kts-af.net, CWE-89, Database Admin
Wed, 23 May 2012 04:18:00 +0000
RESOLVED: XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, search.lists.apple.com
Wed, 23 May 2012 04:09:00 +0000
apple.com, Resolved, XSS, Cross Site Scripting, Javascript Injection, Shortcut, Bookmark
Sun, 25 Mar 2012 14:05:00 +0000
discussions.apple.com, Resolved, XSS, Cross Site Scripting, CWE-79, CAPEC-86, Javascript Injection, Example, PoC, Report
Sun, 25 Mar 2012 14:00:00 +0000
mynews.apple.com, Resolved, HTTP Header Injection, Location Response Splitting, CWE-113, CRLF
Sun, 25 Mar 2012 13:52:00 +0000
CVE-2011-4763, Plesk Site Editor, CPanel 10.2.x, XSS, SQL Injection, CVE-2011-4764, CVE-2011-4765, CVE-2011-4766, CVE-2011-4767, CVE-2011-4768
Mon, 06 Feb 2012 13:34:00 +0000
CVE-2011-5020, Online TV Database, SQL Injection, CWE-89, CAPEC-66
Mon, 06 Feb 2012 12:53:00 +0000
Caveat Emptor, Caveat Venditor, Paros Pro Desktop Version 1.9.12 for Windows, WebAppSec, SCAP Tools
Sat, 28 Jan 2012 14:00:00 +0000
CVE-2011-5018, Koala Framework, XSS, Resolved, Cross Site Scripting, CWE-79, CAPEC-86
Sat, 31 Dec 2011 15:19:00 +0000
CVE-2011-4776, CVE-2011-4777, Parallels Plesk Panel v10.4.4_build20111103.18 os_Windows 2003/2008, XSS, Cross Site Scripting, CWE-79, CAPEC-86
Sat, 31 Dec 2011 13:43:00 +0000
SSO, XSS, CVE-2011-4745, PSA v10.3.1_build1013110726.09 os_RedHat el6, Billing Manager, CVE-2011-4746, CVE-2011-4747, CVE-2009-3555, CVE-2011-4748, CVE-2011-4749
Sun, 11 Dec 2011 23:10:00 +0000
CVE-2011-4750, SmarterTools WebServer, CVE-2011-2151, CVE-2011-2155, CVE-2011-4751, CVE-2011-2154, CVE-2011-2158, CVE-2011-4752
Sun, 11 Dec 2011 22:55:00 +0000
CVE-2011-4734, Plesk Control Panel for Windows Version 10.2.x Build 20110407.20,CVE-2011-4735, CVE-2011-4736, CVE-2011-4737, CVE-2011-4738, CVE-2011-4739, CVE-2011-4740, CVE-2011-4741, CVE-2011-4742, CVE-2011-4743, CVE-2011-4744
Sun, 11 Dec 2011 22:33:00 +0000
CVE-2011-4753, Plesk Control Panel for Windows Version 10.2.0, CVE-2011-4754, CVE-2011-4755, CVE-2011-4756, CVE-2011-4757, CVE-2011-4758, CVE-2011-4759, CVE-2011-4760, CVE-2011-4761, CVE-2011-4762
Sun, 11 Dec 2011 22:22:00 +0000
CVE-2011-4725, Plesk Parallels Panel Version psa v10.2.0_build1011110331.18 os_RedHat el6, CVE-2011-4726, CVE-2011-4727, CVE-2011-4728, CVE-2011-4729, CVE-2011-4730, CVE-2011-4731, CVE-2011-4732, CVE-2011-4733
Sun, 11 Dec 2011 22:06:00 +0000
google.com, XSS, Resolved, Captcha Form, Best Practices, Cross Site Scripting, CWE-79, CAPEC-86
Thu, 08 Dec 2011 18:54:00 +0000
groupon.com, XSS, Resolved, Cross Site Scripting, CWE-79, CAPEC-86
Wed, 30 Nov 2011 20:00:00 +0000
Commentary, Apple, Vulnerability Reporting, Stats, Burp Suite Pro, DOMinator, FuzzDB, Best Practices, Full Disclosure, Metrics, CoTs
Thu, 17 Nov 2011 22:36:00 +0000
wdg2.apple.com, XSS, Resolved, SSO, Cross Site Scripting, CWE-79, CAPEC-86, Best Practices
Thu, 17 Nov 2011 20:21:00 +0000

System Status

Vulnerability Research

Research, Discussion and Analysis | XSS.CX

HTTP Header Injection, HTTP Response Splitting, CWE-113, CRLF, 0x20

HTTP Header Injection Reports | HTTPi - Set Cookie PoC | HTTPi - Location Response PoC | HTTPi - Eyeblaster Cookie PoC

Loading

Proof of Concept Example from bing.com

Consider the following URL: http://victim.fqdn/search.php?q=http://xss.cx/%3f%0D%0ALocation:%20http://xss.cx/default.aspx?cwe-113-poc-via-victim.fqdn. The Attacker gains Full Control of the Application Response with the injection sequence CRLF!

HTTP Header Injection in bing.com

Don't let the Location: get Split!

Depending on the application. An attacker might carry out the following forms of attacks:

Cross-site Scripting attack which can lead to session hijacking
Session fixation attack by setting a new cookie, which can again lead to session hijacking

Actions to Take

See the remedy for solution.
Ensure the server security patches are up to date and that the current stable version of the software is in use.

Remedy

Do not allow newline characters in input. Where possible use strict white listing. If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Required Skills for Successful Exploitation

Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victim by an e-mail or other similar method in order to entice them to visit the site or click upon a URL.

External References