Cenzic 232 Patent
Paid Advertising
web application security lab

Response Splitting in Digest Auth

Stefano di Paola had a really interesting post the other day about how you can do HTTP Response splitting inside digest authentication in IE7.0, Firefox and Safari. For those of you who aren’t familiar with how this works, older browsers allowed you to do authentication on URL field with the syntax http://username:pass@site.com/. Most browsers have tried to somehow reduce or completely remove how this works, although it is still possible in some cases.

In the example Stefano gives he was able to inject arbitrary headers using the trick of putting a newline %0a into the username of the URL field. Very cool hack, and suddenly brings back a wide variety of exploits that were pretty much out of commission because all of the XMLHTTPRequest and Flash tricks had been removed. It’s not clear how long these will stick around, but it’s great work by Stefano.

And sorry about talking about this late. I knew about this several days ago but I am still very much immersed in my move. I’m living out of a hotel room at this point. Oh, I never truly knew the joys of domestic violence in the morning. It’s better than a cup of coffee.

3 Responses to “Response Splitting in Digest Auth”

  1. Andy Says:

    So, Stefano and I were trading mail about this and I’m still not clear on the flow….

    Is this response splitting, or request splitting? As in, allowing arbitrary header injection is what a browser sends to the server?

    If thats the case then it relies on the server running digest authentication, right?

    Or, are we getting the browser to split the request and make a second request to a site the user had not intended?

  2. Jordan Says:

    If I’m following it right, it looks like it’s request splitting, and yes, only on digest auth pages. It doesn’t look like he talks about a way to force the browser to carry over that split request to a non-digest page, though that would be a really nice addition to this if possible.

    The redirect is just used to obfuscate the url, I think, though a typo in the redirected url (avilhost, not evilhost) did confuse me for a second as to whether he was somehow causing the credentialed request to be sent elsewhere, but since he’s still relying on the same req.php to force auth there, it doesn’t look like the redirect is doing anything besides keeping the NL from being as obvious.

  3. lpilorz Says:

    Yes, it’s _request_ splitting, the title here has a typo I think :)