3

enter image description here

I am not going into basics of HTTP response splitting attack as above figure completing describes the working of such a attack. Previous Post have also discussed working of such a attack ASP.NET HTTP Response Splitting Attack.

My question rather confusion is that there exist a view in the community that such attacks are no longer possible and are mitigated by the underlying framework. What are the mitigation strategies? are they client side or server side etc. I also find lack of authenticated reference in this regard.

Community
  • 1
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61

1 Answers1

4

As to Response Splitting, vulnerable application allows injection at http response headers level. So there have to be an attack vector in app that allows unfiltered input to be appended to headers section of response.

Today frameworks (like .net or J2EE, and probably others) offer programmers an API which can be used to mitigate/eliminate such attacks (in server side code). But as we all know "It's impossible to foresee consequences of being clever", so developers can avoid those protections entirely, leaving application vulnerable to such attacks.

So there isn't a strict yes/no answer. It depends on developers imagination.

damiankolasa
  • 347
  • 1
  • 6
  • Can you be more specific on API level mitigation strategies thanks – Ali Ahmad Dec 27 '12 at 08:05
  • 1
    It basically strips down to preventing \n\r strings entering your header section. So i.e. in java you have addHeader method which do that kind of checks for you. – damiankolasa Dec 27 '12 at 08:36
  • 1
    fatfredyy @AliAhmad actually the typical implementation is simply automatic URL-encoding of any input to these methods. – AviD Jul 28 '13 at 23:40