
HTTP Response Splitting Vulnerability on reddit.com - there
http://nealpoole.com/blog/2011/01/http-response-splitting-on-reddit-com/
======
pak
By comparison, PHP actually prevents you from using \r\n in your header()
calls to inadvertently make multiple headers or break off into the body. It
spits out a

    
    
      Warning: Header may not contain more than a single header, new line detected.
    

and drops the header.

~~~
kijinbear
PHP has a reputation for insecurity, but it also has a lot of built-in
features that help you build secure web apps if used correctly. Some of PHP's
earlier experiments were disasterous, (I'm talking about you, magic quotes!)
but recent fixes like this actually seem to be pretty well thought out. PHP
itself can be seen almost a lightweight web framework, albeit a particularly
ugly one.

Other languages, such as Python, were not designed specifically with web apps
in mind. So a web developer using such a language must make sure he's doing
all the web-specific stuff properly. Which is tedious and error-prone, and
that's one reason why nobody should use Python on the web without a decent
framework.

~~~
getsat
Don't forget about register_globals, too. _shudders_

Your last sentence =~ s/Python/any language/

Even PHP is horrible and insecure to use without a framework today.

------
tptacek
Nice finding, Neal. Want a job?

Oh, wait.

~~~
DTrejo
It's good you're active on HN, and in NYC, otherwise he might not have heard
about you guys ;)

~~~
tptacek
HN is currently our #1 hiring vector.

------
d_r
Is it ever reasonable to pass a redirect URL directly via the GET parameters?
One other concern would be the ease of phishing attacks, e.g.

goodsite.com/login?redirect=<http://www.mybadsite.com>

User logs in to Goodsite, and is redirected to a similar-looking page on
Badsite.

One safer alternative would be to store the redirect URL in the session
(presuming one is available) and read it back later.

~~~
nbpoole
You're talking about what's known as an open redirect. And you're correct:
those can definitely be used to make a phishing attack more effective. But as
I mentioned, reddit only redirects users to reddit content: you need to
provide a relative URL or use a reddit subdomain (eg:
<http://code.reddit.com>) in the dest parameter.

------
nbpoole
Aww, someone submitted my blog post. :)

~~~
jsdalton
Can you help me better understand the risk to an end user this represents? I
just recently implemented some similar login redirect logic and want to make
sure I'm handling the redirect value properly.

~~~
tptacek
It's a somewhat complicated variant of reflected cross-site scripting, a.k.a.
Javascript injection.†

The vulnerability in response-splitting is passing attacker-controlled
newlines unmolested through HTTP header content. Newlines terminate headers.
Attacker-controlled content in a redirect that is allowed to contain newlines
enables attackers to inject new headers or to terminate the header portion of
the request.

Here, Neal's using the attack to inject a false end-of-headers newline and
then a fake request body containing Javascript.

The attack is trivial to prevent; just don't allow newlines (and, ideally,
active HTML characters) in redirect content.

† _The goal of an attacker is to coerce a server into sending her own
Javascript; the same-origin rules governing browser security allow that
Javascript access to the server's cookies, even though the code is under the
control of an attacker._

~~~
axod
> "The attack is trivial to prevent; just don't allow newlines (and, ideally,
> active HTML characters) in redirect content."

Surely the more correct solution is to escape them properly.

eg in the example:

    
    
      Location: javascript:
     
      <script>alert(document.cookie)</script>
    

occurs because something unescaped the %0D%0A%0D%0A. If however you just leave
it as it was originally, or alternatively encode it properly after you've
decoded it.

    
    
      Location: javascript:%0D%0A%0D%0A<script>alert(document.cookie)</script>
    

and everything works as it should.

~~~
tptacek
You're right; I wasn't prescriptive enough. Thanks for clarifying.

------
atomical
Was this discovered by chance or was it garnered through an exploit
scanner/crawler of some sort? Looking at matasano I'm wondering if exploit
scanning is a method of acquiring new customers.

~~~
tptacek
(1) This is a Neal Poole finding, not a Matasano finding.

(2) Reddit isn't a customer.

(3) Suffice it to say that the market for software security is such that we
don't really have to do do much other than excel at our work to acquire new
customers.

~~~
nbpoole
What Tom said. To be clear, nealpoole.com is my personal blog, not a company
blog: I just happen to enjoy web application security. :)

------
k0nad
also, add httponly to your cookies then javascript cant see them

~~~
tptacek
This is an almost cosmetic defense, because Javascript can still launch
requests that will bear those cookies, even if it can't bank them for later.

HttpOnly isn't evil, but it's not a solution to the problem.

~~~
peripitea
Security noob follow-up: How do you exploit the fact that your javascript can
launch requests bearing those cookies? I'm assuming your end goal is to get
access to those cookies. Do you do something like POST the contents of the
original HTTP request headers that follow your injected \r\n (including said
cookies) to a malicious server?

~~~
jaysoo
The goal could be CSRF instead of actually reading the cookies. If there's a
SessionID cookie for example, you can use JS to GET/POST the request to the
server without needing to know the value of SessioID because the browser will
send it as part of the request anyway.

The HTTP Response Splitting vulnerability can have many implications, XSS and
CSRF attacks are just some examples.

~~~
peripitea
Ah, right. Thanks!

