Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lab-based lesson, participants receive step by step instructions in how to accomplish http response splitting using Web Goat. Essentially, response splitting involves a web application without input validation to check for carriage returns or new line feeds, it could result in an attack where characters are injected and a response is send back the web server. This crafted response could result in an attack from a hacker.

Video Transcription

00:04
Hello and welcome to the cyber. Very secure coding course. My name Miss anywhere in this is sans top 25 porous defense lab. We're gonna be using web goats. Http. Response Splitting exercise.
00:20
This is the lab for Web goats. Http. Response splitting.
00:25
Now, before we get into the mechanics of the lab, I want to just give a little bit of background information
00:32
to better understand response splitting.
00:37
So what happens is
00:40
if our Web application that runs on this Web server
00:44
does not have any input validation to check for carriage returns or new line feeds, it could be susceptible to
00:55
an attack where
00:57
these characters are injected
01:00
and then a response is sent back to the Web server
01:04
that is actually crafted.
01:07
And then an attack can be done by by an attacker.
01:11
So let's kind of walk through this flow here.
01:17
You can see for step number one. We have our original request. We're going to taint that request with some carriage returns in new lines.
01:27
We do this in order to first of all, determine if this particular web application is doing any kind of input validation.
01:37
And if it's not, then that response that comes back to us should contain those carriage returns. So that'll be the first step
01:49
now in an actual attack. What happens is when the response returns from that tainted request, it actually contains the status code of 200. Okay, in the response.
02:04
So that's what the attacker placed there. And you can see that
02:07
identified. Here, you can see the content length of zero
02:12
and an http response off 200. The special U R l in coding has been added so that it's understood by the Web server properly.
02:23
So what happens is the attacker fakes the Web server out by saying that the response is complete.
02:31
But actually in the rial body of the response
02:36
will be their payload, which is represented by to be here.
02:42
So to be actually contains the crafted response that will have either crossing, scripting, attack or whatever other type of attack we're trying to do. Maybe maybe poisoning of the cash control or something like that.
02:58
So now when we return to our lesson,
03:01
the first thing that we want to do is we want to see Is this particular page susceptible to an H two p response splitting attack.
03:12
Now, how we conduce, that is
03:15
we can inject those special characters
03:17
into the tax box and just see if it's reflected back to us.
03:23
Now, in this particular page, it's actually looking for a language to be identified. So
03:32
we've identified English, and then we followed that with our special characters of carriage returns in new lines to determine if it's gonna be reflected back to us.
03:45
So we're gonna turn burbs sweet on.
03:47
Put our interceptor on.
03:53
Okay, this is our request. We're gonna forward that,
03:59
and we do see it reflected here. Now, this is a redirect. So you actually need to click forward again because you can see this is another request.
04:12
Okay,
04:13
so it looks like we can perform
04:16
a an http response splitting attack. So let's go ahead and do that.
04:24
We're gonna take this'll. This is our crafted
04:30
are our two part crafted message so
04:33
you can see that I have I still have my English, but I've got my content length
04:40
that I'm going to tell the Web server to be zero and in the HDP status code, I'm going to
04:48
tell the Web server
04:49
to give a 200 so the Web server will think that the response is complete.
04:58
But actually, I have yet another message under here, which is an html page, and it states hacked
05:08
so that paid place that in there.
05:16
Okay. And so the message lets me know that
05:21
it did detect my successful attack.
05:26
So now what I want to do is I know that I can do an H two b response split. So I want to actually poison the cash. I want to do something as the main goal of this attack.
05:36
And so how we can do that is we create course we give our status 200 right?
05:46
Oh, to tell the Web server that the first response is complete.
05:50
And then we're gonna modify the last modified header to be a date in the future.
05:58
And just follow that up with the HTML page.
06:06
Now it does state here that Ah, we need to intercept the reply and replace it with the 304 reply. Ah, three or four is not modified. Gonna go ahead and turn my interceptor on.
06:24
I'm going to
06:26
paste in my cash poisoning attack.
06:31
Okay? And I'm going to change
06:35
the status here from a 200
06:42
to a 304
06:44
Not more fun. Forward that,
06:48
and then I get the congratulations.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor