Appendix

There are several web application security attack techniques that we

are unable to classify at this time. Within the appendix, there is

summarized documentation that describes some of these

methodologies. These issues will be handled systematically in

version 2 of the Threat Classification.

1.1  HTTP Response Splitting

In the HTTP Response Splitting attack, there are always 3 parties (at

least) involved:

   Web server, which has a security hole enabling HTTP

Response Splitting

   Target   an entity that interacts with the web server perhaps on

behalf of the attacker. Typically this is a cache server

(forward/reverse proxy), or a browser (possibly with a browser

cache).

   Attacker   initiates the attack

The essence of HTTP Response Splitting is the attacker's ability to

send a single HTTP request that forces the web server to form an

output stream, which is then interpreted by the target as two HTTP

responses instead of one response, in the normal case. The first

response may be partially controlled by the attacker, but this is less

important. What is material is that the attacker completely controls the

form of the second response from the HTTP status line to the last

byte of the HTTP response body. Once this is possible, the attacker

realizes the attack by sending two requests through the target. The

first one invokes two responses from the web server, and the second

request would typically be to some  innocent  resource on the web

server. However, the second request would be matched, by the

target, to the second HTTP response, which is fully controlled by the

63

Copyright 2004, Web Application Security Consortium. All rights reserved.