Hi all,
May be this a very stupid question, however, after many unsuccessful
attempts, I would appreciate your assistance.
In testing a web application, I found that on sending the following request
header:
GET /path/path-contd/resource.asp?key1=value1&key2=value2&key3=value3
HTTP/1.1
....
I got the the following response header:
HTTP/1.1 302 Found
Date: xxxx
Server: xxxx
Location: https://
<full-domain>/path/path-contd/resource.asp?https=redirect&key1=value1&key2=value2&key3=value3
....
I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response
Splitting, however, the input was always output to the response header as
text and the injected CRLF (%0d%0a) was never executed. I tried:
- double url encoding: %250d%250a
- encoding the attack vector to unicode 16-bit
- injecting %0d%0a (and double encoded value) in value1 instead
- injecting %0d%0a (and double encoded value) in value2 instead
Am I missing something trivial or any other attack vector to bypass CRLF
Injection protection/filter? Is this the right approach? Or should I safely
assume that the application is performing proper URL sanitization?
Look forward to your replies. My apologies again in case my question is
naive.
Br,
m0n
Hi all,
May be this a very stupid question, however, after many unsuccessful
attempts, I would appreciate your assistance.
In testing a web application, I found that on sending the following request
header:
GET /path/path-contd/resource.asp?key1=value1&key2=value2&key3=value3
HTTP/1.1
....
I got the the following response header:
HTTP/1.1 302 Found
Date: xxxx
Server: xxxx
Location: https://
<full-domain>/path/path-contd/resource.asp?https=redirect&key1=value1&key2=value2&key3=value3
....
I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response
Splitting, however, the input was always output to the response header as
text and the injected CRLF (%0d%0a) was never executed. I tried:
1. double url encoding: %250d%250a
2. encoding the attack vector to unicode 16-bit
3. injecting %0d%0a (and double encoded value) in value1 instead
4. injecting %0d%0a (and double encoded value) in value2 instead
Am I missing something trivial or any other attack vector to bypass CRLF
Injection protection/filter? Is this the right approach? Or should I safely
assume that the application is performing proper URL sanitization?
Look forward to your replies. My apologies again in case my question is
naive.
Br,
m0n