Stefano di Paola had a really interesting post the other day about how you can do HTTP Response splitting inside digest authentication in IE7.0, Firefox and Safari. For those of you who aren’t familiar with how this works, older browsers allowed you to do authentication on URL field with the syntax http://username:firstname.lastname@example.org/. Most browsers have tried to somehow reduce or completely remove how this works, although it is still possible in some cases.
In the example Stefano gives he was able to inject arbitrary headers using the trick of putting a newline %0a into the username of the URL field. Very cool hack, and suddenly brings back a wide variety of exploits that were pretty much out of commission because all of the XMLHTTPRequest and Flash tricks had been removed. It’s not clear how long these will stick around, but it’s great work by Stefano.
And sorry about talking about this late. I knew about this several days ago but I am still very much immersed in my move. I’m living out of a hotel room at this point. Oh, I never truly knew the joys of domestic violence in the morning. It’s better than a cup of coffee.