Showing posts from July, 2011

HTTP cache poisioning

HTTP response spilitting

First, we watch one source code:
$ cat redir.php
header ("Location: " . $_GET['page']);

"page" argument will be got from end-user and redirect (302) to another page. Ex:


Now, we will talk about http request. In normally, if you request redir.php?page=test.html, http request like that:
GET http://localhost/redir.php?site=test.html
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

We will go to test.html. Notice to "page" variable. It is not filtered. So end-user can modify it.
Using CR (%0d) and LF (%0a), attacker can control http request, generate two response to one request. How to do that?

this is page variable:
The resulting answer from the vulnerable application:
HTTP/1.1 302 Moved Temporari…

Install windows 3.1

First OS i had beend used :)).

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.