- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Mon, 24 Jan 2011 08:03:04 +0100
- To: John Wilander <john.wilander@owasp.org>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
mån 2011-01-24 klockan 03:02 +0100 skrev John Wilander: > Finally, Response Splitting > Since it has been discussed before I'd just like to bring response > splitting to the table. That's an attack vector against header > policies. A proposed countermeasure is some form of signed headers. The best countermeasure is simply to not use any user provided data in headers without careful checking and encoding. Pay attention what you put in those cookies please. Second countermeasure is having a safety check on sent responses. Header section must not contain extra blank lines or more than one content-length, malformed content-length and preferably no other malformed headers. The flaw which allows for response splitting is insecure programming at the server side, allowing the calling agent to control parts of the header output of the server. This allows the attacker to mess up the HTTP protocol message syntax of the responses sent by the server by having the user agent submit "unexpected" data. Regards Henrik
Received on Monday, 24 January 2011 07:03:54 UTC