1BO4r2U
1BO4r2U
1BO4r2U
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
151 152<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
ity, the tester needs to identify all user controlled input that influences<br />
one or more headers in the response, and check whether he/she<br />
can successfully inject a CR+LF sequence in it.<br />
The headers that are the most likely candidates for this attack are:<br />
• Location<br />
• Set-Cookie<br />
It must be noted that a successful exploitation of this vulnerability<br />
in a real world scenario can be quite complex, as several factors<br />
must be taken into account:<br />
[1] The pen-tester must properly set the headers in the fake response<br />
for it to be successfully cached (e.g., a Last-Modified header<br />
with a date set in the future). He/she might also have to destroy<br />
previously cached versions of the target pagers, by issuing a preliminary<br />
request with “Pragma: no-cache” in the request headers<br />
[2] The application, while not filtering the CR+LF sequence, might<br />
filter other characters that are needed for a successful attack (e.g.,<br />
“”). In this case, the tester can try to use other encodings<br />
(e.g., UTF-7)<br />
[3] Some targets (e.g., ASP) will URL-encode the path part of the<br />
Location header (e.g., www.victim.com/redirect.asp), making a<br />
CRLF sequence useless. However, they fail to encode the query<br />
section (e.g., ?interface=advanced), meaning that a leading question<br />
mark is enough to bypass this filtering<br />
For a more detailed discussion about this attack and other information<br />
about possible scenarios and applications, check the papers<br />
referenced at the bottom of this section.<br />
Gray Box testing<br />
HTTP Splitting<br />
A successful exploitation of HTTP Splitting is greatly helped by<br />
knowing some details of the web application and of the attack target.<br />
For instance, different targets can use different methods to<br />
decide when the first HTTP message ends and when the second<br />
starts. Some will use the message boundaries, as in the previous<br />
example. Other targets will assume that different messages will<br />
be carried by different packets. Others will allocate for each message<br />
a number of chunks of predetermined length: in this case,<br />
the second message will have to start exactly at the beginning of a<br />
chunk and this will require the tester to use padding between the<br />
two messages. This might cause some trouble when the vulnerable<br />
parameter is to be sent in the URL, as a very long URL is likely to<br />
be truncated or filtered. A gray box scenario can help the attacker<br />
to find a workaround: several application servers, for instance, will<br />
allow the request to be sent using POST instead of GET.<br />
HTTP Smuggling<br />
As mentioned in the introduction, HTTP Smuggling leverages the<br />
different ways that a particularly crafted HTTP message can be<br />
parsed and interpreted by different agents (browsers, web caches,<br />
application firewalls). This relatively new kind of attack was<br />
first discovered by Chaim Linhart, Amit Klein, Ronen Heled and<br />
Steve Orrin in 2005. There are several possible applications and<br />
we will analyze one of the most spectacular: the bypass of an<br />
application firewall. Refer to the original whitepaper (linked at<br />
the bottom of this page) for more detailed information and other<br />
scenarios.<br />
Application Firewall Bypass<br />
There are several products that enable a system administration to<br />
detect and block a hostile web request depending on some known<br />
malicious pattern that is embedded in the request. For example, consider<br />
the infamous, old Unicode directory traversal attack against IIS<br />
server (http://www.securityfocus.com/bid/1806), in which an attacker<br />
could break out the www root by issuing a request like:<br />
http:/target/scripts/..%c1%1c../winnt/system32/cmd.exe?/<br />
c+<br />
Of course, it is quite easy to spot and filter this attack by the presence<br />
of strings like “..” and “cmd.exe” in the URL. However, IIS 5.0 is<br />
quite picky about POST requests whose body is up to 48K bytes and<br />
truncates all content that is beyond this limit when the Content-Type<br />
header is different from application/x-www-form-urlencoded. The<br />
pen-tester can leverage this by creating a very large request, structured<br />
as follows:<br />
POST /target.asp HTTP/1.1