Header splitting is an attack designed to steal data from users of a site. It can be used to execute cross site scripting attacks, steal user data, or deface sites such that they appear to contain content the creator did not intend.
How serious is HTTP Response Splitting?
Every time a browser requests a web page, information known as headers get sent from the page to the browser. These perform important functions like tell the browser what language should be displayed, if some action should be taken, and how the website was written. Here is a sample header from Google:
Kod:
http://www.google.com/ GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive
During application coding, there are many times you may wish to update or set a header yourself. For instance, a common task is to set the referrer header in PHP. As a simple illustration of response splitting, imagine you had code which set a header using a parameter found in the URL (a GET parameter):
Kod:
<?php header("********: ".$GET['redirect']); ?>
This code will set the ******** header for your page. A malicious person might recognize this, and try to change what headers your page sends. If you notice the page header example from Google, each header type begins on a new line. An attacker could modify how the header is set by cleverly changing the URL:
Kod:
www.mysite.com/page1.php?redirect="www.a badsite.com"
But this is not the worst that could happen. Recognizing that line breaks come in between each header, an attacker could even change the entire look of your site:
Kod:
www.mysite.com/page1.php?redirect=\r\nContent-type:text/html\r\n<html>new site!</html>
This would insert a new header (content type) and some HTML, which would be placed at the top of the page, as if it was mean to be there. Although the URL pasted above is not a complete attack (more headers would be required) it illustrates how the attack works.