Cenzic 232 Patent
Paid Advertising
web application security lab

Response Splitting Filter Evasion

While playing with a redirection issue on a pretty major website I found a pretty weird HTTP response splitting issue, where forward slashes were not allowed (or rather, once you entered a forward slash it caused the whole redirection to be removed). Clearly the website was trying to protect itself from something, although I’m not exactly sure how or why. Here’s what I ended up doing.

Normally it would just do something like Location: http://somesite.com/ where whatever you typed in the URL field would end up in the Location header. Pretty typical response splitting I’d think, except I can’t inject a slash, so ending HTML tags are out (shouldn’t be a problem) but now I can’t get it from plaintext format into HTML making any HTML injection pointless.

So I ended up shortening the response splitting by instead of typing in Content-Type: text/html I just put in Content-Type: html (I removed “text/” which isn’t important to the attack. So it ended up looking like:

%0AContent-Type:html%0A%0A%3Cbody%20onload=alert(%22XSS%22)%3E

I can’t help but think there are nearly as many variants of response splitting as there are traditional XSS attacks. Just another reason not to have open redirection on your site.

Respond here or Discuss On the Forums