RE: [WEB SECURITY] JS parsing in 3xx HTTP responses?

From: Hoffman, Billy <billy.hoffman_at_nospam>
Date: Mon Nov 05 2007 - 13:24:54 GMT
To: Andy Steingruebl <steingra@gmail.com>, Amit Klein <aksecurity@gmail.com>

> but we might be able to cause a browser fault
> on a long or malformed location header

I found some very interesting behavior in IE 6.x and Firefox 1.5.x when parsing very long Location headers (like 100KB+). I stumbled on most of these by accident in late 2005 when I was developing TinyDisk (http://msblabs.org/tinydisk/). Mainly browser crashes and freezes. Unfortunately, short of seeing EIP = 0x414141414141 I can't exploit a buffer overflow to save my life so I never got around to writing anything up about it. Someone should investigate this more.

Billy

-----Original Message-----
From: Andy Steingruebl [mailto:steingra@gmail.com] Sent: Saturday, November 03, 2007 5:14 PM To: Amit Klein
Cc: WASC Forum
Subject: Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?

Agreed. I was really thinking of the case though where response splitting isn't possible but we might be able to cause a browser fault on a long or malformed location header. When using mod_rewrite it appears response splitting isn't an issue - though I will probably go review the code in mod_rewrite just to see how they handle everything...

Andy

On 11/3/07, Amit Klein <aksecurity@gmail.com> wrote:
> Andy Steingruebl wrote:
> > Ok, so what I'm seeing as a consensus is that generally speaking this
> > isn't exploitable on the browsers we know about.
> >
> > I'm wondering if there might be an attack against Location header
> > length that causes a browser to render and parse the page....
>
> You could go for HTTP Response Splitting. This exact same scenario is
> mentioned in the paper
> (http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf):
>
> Cross-Site Scripting (XSS): Until now, it has been impossible to mount XSS
> attacks on sites through a redirection script when the clients use IE
> unless the
> Location header can be fully controlled. With HTTP Response Splitting, it is
> possible to mount a XSS attack even if the Location header is only partially
> controlled by the attacker.
>
> -Amit
>
-- Andy Steingruebl steingra@gmail.com ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

This message: [ Message body ]
Next message: £ukasz Pilorz: "Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?"
Previous message: Bernardo Damele: "[WEB SECURITY] [Tool] sqlmap: a blind SQL injection tool (release 0.5)"
In reply to: Andy Steingruebl: "Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?"
Next in thread: Arian J. Evans: "Re: [WEB SECURITY] JS parsing in 3xx HTTP responses?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]