W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: More on XSS mitigation (was Re: XSS mitigation in browsers)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Mon, 24 Jan 2011 08:03:04 +0100
To: John Wilander <john.wilander@owasp.org>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, gaz Heyes <gazheyes@gmail.com>, Gervase Markham <gerv@mozilla.org>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Message-ID: <1295852584.1241.6.camel@henriknordstrom.net>
mån 2011-01-24 klockan 03:02 +0100 skrev John Wilander:


> Finally, Response Splitting
> Since it has been discussed before I'd just like to bring response
> splitting to the table. That's an attack vector against header
> policies. A proposed countermeasure is some form of signed headers.

The best countermeasure is simply to not use any user provided data in
headers without careful checking and encoding. Pay attention what you
put in those cookies please.

Second countermeasure is having a safety check on sent responses. Header
section must not contain extra blank lines or more than one
content-length, malformed content-length and preferably no other
malformed headers.

The flaw which allows for response splitting is insecure programming at
the server side, allowing the calling agent to control parts of the
header output of the server. This allows the attacker to mess up the
HTTP protocol message syntax of the responses sent by the server by
having the user agent submit "unexpected" data.

Regards
Henrik
Received on Monday, 24 January 2011 07:03:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 24 January 2011 07:03:56 GMT