[WEB SECURITY] A technique for bypassing request header restriction of XMLHttpRequest

Kousuke Ebihara kousuke at co3k.org
Thu Jan 5 07:13:09 EST 2012 

Hi,

Do you know that Apache HTTP Server and Lighttpd replace non-alnum characters with underscore in name of environment variables?

This might be useful to bypass restrictions of XMLHttpRequest.

Here is a simple CGI script to test server behavior::

    #!/usr/bin/env python
    # -*- coding: UTF-8 -*-

    import os

    print "Content-Type: text/plain\n";

    for k, v in sorted(os.environ.items()):
         print "%s: %s" % (k, v)

And execute this script via Apache::

    $ telnet localhost 80
    GET /~co3k/envs.cgi.py HTTP/1.0
    X-Normal: Hello
    X_Under: Hello
    X.Dot: Hello

    HTTP/1.1 200 OK
    Date: Wed, 23 Nov 2011 10:30:53 GMT
    Server: Apache/2.2.20 (Unix) DAV/2 PHP/5.3.6 with Suhosin-Patch
    Connection: close
    Content-Type: text/plain

    HTTP_X_DOT: Hello
    HTTP_X_NORMAL: Hello
    HTTP_X_UNDER: Hello

Then, via Lighttpd::

    $ telnet localhost 8037
    GET /envs.cgi.py HTTP/1.0
    X-Normal: Hello
    X_Under: Hello
    X.Dot: Hello

    HTTP/1.0 200 OK
    Content-Type: text/plain
    Connection: close
    Date: Wed, 23 Nov 2011 10:43:12 GMT
    Server: lighttpd/1.4.28

    HTTP_X_DOT: Hello
    HTTP_X_NORMAL: Hello
    HTTP_X_UNDER: Hello

But the case of Nginx::

    $ telnet localhost 8080
    GET /env/ HTTP/1.0
    X-Normal: Hello
    X_Under: Hello
    X.Dot: Hello

    HTTP/1.1 200 OK
    Server: nginx/1.0.9
    Date: Wed, 23 Nov 2011 10:57:07 GMT
    Content-Type: text/plain
    Connection: close

    HTTP_X_NORMAL: Hello

Well, as you know, some XMLHttpRequest implementations deny sending some request headers via XMLHttpRequest.

(See also: http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest)

You can't send Accept-Charset, Accept-Encoding, User-Agent, and etc via Firefox's XMLHttpRequest, but you can send Accept_Charset, Accept.Encoding, User*Agent and etc. CGI script may trust User*Agent header value via "HTTP_USER_AGENT" environment variable.

I've found a vulnerability in the Japanese mobile phone by using this technique. But that vulnerability is caused by unusual custom of Japanese mobile world.

So I want to know more universal threats by using this technique. Do you have some ideas?

Thanks,

-- 
Kousuke Ebihara <kousuke at co3k.org>
http://co3k.org/

More information about the websecurity mailing list