Showing posts from July, 2011

HTTP cache poisioning

HTTP response spilitting First, we watch one source code: $ cat redir.php header ("Location: " . $_GET['page']); ?> "page" argument will be got from end-user and redirect (302) to another page. Ex: redir.php?page=index.php redir.php?page=test.html Now, we will talk about http request. In normally, if you request redir.php?page=test.html, http request like that: GET http://localhost/redir.php?site=test.html Host: localhost User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 We will go to test.html. Notice to "page" variable. It is not filtered. So end-user can modify it. Using CR (%0d) and LF (%0a), attacker can control http request, generate two response to one request. How to do that? this is page variable: ?page=test.html The resulting answer from the vulnerable application: HT

Install windows 3.1

First OS i had beend used :)). ------------------------------------------------------------ Thanks for reading -------------------------------------------------------------------------- All my Lab: Linux Lab -- window and Cisco Lab to be continued - I will update more.