Exercise 19: HTTP Response Splitting

Objective

Learn how to exploit HTTP Response Splitting vulnerabilities to inject malicious headers or redirect users to malicious sites. Understand how to prevent such vulnerabilities by validating and sanitizing user input.

Scenario

You are evaluating a web application that redirects users based on URL parameters. Due to improper input handling, the application is vulnerable to HTTP Response Splitting, allowing attackers to inject custom HTTP headers and manipulate responses.

Lab Setup

Prerequisites:

• Basic knowledge of PHP and HTTP headers.
• XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
• A code editor (e.g., VSCode, Sublime Text).

Create the Vulnerable Web Application

PHP Script for Redirect Functionality

Create a file redirect.php:

<?php
if (isset($_GET['url'])) {
    $url = $_GET['url'];
    header("Location: $url");
} else {
    echo "<h2>No URL provided.</h2>";
}
?>

<form method="GET" action="">
    Redirect URL: <input type="text" name="url" required><br>
    <button type="submit">Redirect</button>
</form>

Running the Application

• Start the Apache server.
• Place redirect.php in the web server’s root directory (htdocs for XAMPP).
• Open http://localhost/redirect.php in your browser.

Exploitation Steps

Step 1: Injecting Malicious Headers

Enter the following payload into the form:

http://victim.com%0D%0ASet-Cookie: session=attacker

Submit the form.

Expected Result:

• The server injects a malicious Set-Cookie header, setting the victim’s session to an attacker-controlled value.

Step 2: Redirecting to a Malicious Site

Enter this payload:

http://legit-site.com%0D%0ALocation: http://phishingsite.com

Submit the form.

Expected Result:

• The browser is redirected to http://phishingsite.com instead of the intended destination.

Solution and Prevention

Problem Analysis

• User input is directly included in the HTTP response without validation.

Fixing the Vulnerability

Validate and Sanitize User Input

Ensure URLs are safe and well-formed:

<?php
if (isset($_GET['url'])) {
    $url = filter_var($_GET['url'], FILTER_VALIDATE_URL);
    if ($url && strpos($url, 'http') === 0) {
        header("Location: $url");
    } else {
        echo "<h2>Invalid URL.</h2>";
    }
}
?>

Encode URL Parameters

Prevent special characters from being interpreted:

<?php
if (isset($_GET['url'])) {
    $url = filter_var($_GET['url'], FILTER_VALIDATE_URL);
    if ($url && strpos($url, 'http') === 0) {
        header("Location: $url");
    } else {
        echo "<h2>Invalid URL.</h2>";
    }
}
?>

Use Whitelisting

Only allow redirects to trusted domains:

$allowed_domains = ['trusted.com', 'secure-site.com'];
$parsed_url = parse_url($_GET['url']);

if (in_array($parsed_url['host'], $allowed_domains)) {
    header("Location: " . $_GET['url']);
} else {
    echo "<h2>Unauthorized redirect attempt.</h2>";
}

Disable Unnecessary HTTP Headers

Configure the server to prevent header injections.

Testing After Fix

1. Retry the payloads:
   • http://victim.com%0D%0ASet-Cookie: session=attacker
   • http://legit-site.com%0D%0ALocation: http://phishingsite.com
2. Expected Result:
   • The server rejects malicious inputs and prevents response splitting.

Conclusion

In this lab, you exploited an HTTP Response Splitting vulnerability by injecting malicious headers and redirecting users to unintended websites. You also learned how to mitigate this vulnerability by validating and sanitizing user inputs, using whitelisting, and securely managing HTTP responses.