Hello and welcome to the cyber. Very secure coding course. My name Miss anywhere in this is sans top 25 porous defense lab. We're gonna be using web goats. Http. Response Splitting exercise.
This is the lab for Web goats. Http. Response splitting.
Now, before we get into the mechanics of the lab, I want to just give a little bit of background information
to better understand response splitting.
if our Web application that runs on this Web server
does not have any input validation to check for carriage returns or new line feeds, it could be susceptible to
these characters are injected
and then a response is sent back to the Web server
that is actually crafted.
And then an attack can be done by by an attacker.
So let's kind of walk through this flow here.
You can see for step number one. We have our original request. We're going to taint that request with some carriage returns in new lines.
We do this in order to first of all, determine if this particular web application is doing any kind of input validation.
And if it's not, then that response that comes back to us should contain those carriage returns. So that'll be the first step
now in an actual attack. What happens is when the response returns from that tainted request, it actually contains the status code of 200. Okay, in the response.
So that's what the attacker placed there. And you can see that
identified. Here, you can see the content length of zero
and an http response off 200. The special U R l in coding has been added so that it's understood by the Web server properly.
So what happens is the attacker fakes the Web server out by saying that the response is complete.
But actually in the rial body of the response
will be their payload, which is represented by to be here.
So to be actually contains the crafted response that will have either crossing, scripting, attack or whatever other type of attack we're trying to do. Maybe maybe poisoning of the cash control or something like that.
So now when we return to our lesson,
the first thing that we want to do is we want to see Is this particular page susceptible to an H two p response splitting attack.
Now, how we conduce, that is
we can inject those special characters
into the tax box and just see if it's reflected back to us.
Now, in this particular page, it's actually looking for a language to be identified. So
we've identified English, and then we followed that with our special characters of carriage returns in new lines to determine if it's gonna be reflected back to us.
So we're gonna turn burbs sweet on.
Put our interceptor on.
Okay, this is our request. We're gonna forward that,
and we do see it reflected here. Now, this is a redirect. So you actually need to click forward again because you can see this is another request.
so it looks like we can perform
a an http response splitting attack. So let's go ahead and do that.
We're gonna take this'll. This is our crafted
are our two part crafted message so
you can see that I have I still have my English, but I've got my content length
that I'm going to tell the Web server to be zero and in the HDP status code, I'm going to
to give a 200 so the Web server will think that the response is complete.
But actually, I have yet another message under here, which is an html page, and it states hacked
so that paid place that in there.
Okay. And so the message lets me know that
it did detect my successful attack.
So now what I want to do is I know that I can do an H two b response split. So I want to actually poison the cash. I want to do something as the main goal of this attack.
And so how we can do that is we create course we give our status 200 right?
Oh, to tell the Web server that the first response is complete.
And then we're gonna modify the last modified header to be a date in the future.
And just follow that up with the HTML page.
Now it does state here that Ah, we need to intercept the reply and replace it with the 304 reply. Ah, three or four is not modified. Gonna go ahead and turn my interceptor on.
paste in my cash poisoning attack.
Okay? And I'm going to change
the status here from a 200
Not more fun. Forward that,
and then I get the congratulations.