[WEB SECURITY] Re: [Webappsec] Preventing HTTP Response Splitting with HTTP mods and sequence-id's ?

Andy Steingruebl steingra at gmail.com
Sun Mar 25 14:29:04 EDT 2007 

On 3/24/07, Amit Klein <aksecurity at gmail.com> wrote:
> Not necessarily. Even if you only allow HTTPS traffic to your site, you
> still need to consider what happens inside your site. There may be an
> SSL accelerator terminating the SSL traffic well before it hits the
> actual server. There nay be a load balancer in between, there may be a
> reverse proxy, and so forth. HTTP Response Splitting may affect any such
> device (once the SSL layer is stripped off).

I'm actually willing to make this tradeoff.  That is, I'm willing to
look for ways of securing my site even if it means that I have to
trade-off a few things.   At least I can make some conscious decisions
about it....


> Not exactly. What I meant in the "double injection" method is that the
> first HTTP response has two injection points. Say the first response is: . . .

Ok, so once again you've managed to thoroughly depress me Amit :)

I wrote a little piece the other day I called "Which number Castle of
How Deep is the Swamp>"

http://securityretentive.blogspot.com/2007/03/which-number-castle-is-it-or-how-deep.html

I sometimes feel like I'm trying to break the fundamental laws of
physics to achieve web security.  We know the tools we're working with
are no good, but we keep using the same ones rather than spending
energy on new ways of doing things, new tools for doing them, etc.

I don't know that steam power, steel, airplanes, etc. would ever have
been invented by people that have the same mindset as we do in
computers (and by we, I don't mean anyone in particular).

We'd still have moats around our castles, stone walls, etc.  We'd just
try to make thicker stone walls, deeper moats, and the enemy would
drops bombs on us from airplanes all the while we say "but we've got
so much infrastructure invested in stone masonry and the moat building
industry employs a lot of workers, people know how it works, etc."
Nevermind that our enemies have moved on to much better attacks
against our defenses.  We'd stick with them hoping that somehow with
better moat-building-processes we'd avoid the attacks...

Time to go searching for an HTTP and HTML replacement I suppose.  It
won't get fixed until we do.

- Andy



-- 
Andy Steingruebl
steingra at gmail.com

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list