« Rails Security Guide and Book | Main | New RedCloth security »
Monday
Oct202008

Header Injection And Response Splitting

I thought about the redirect_to method when I saw Ryan's screencast of how to go back with redirect_to :back. That way the user will be redirected to the URL from the Referer header field, it's the same as redirect_to request.referer. The Referer is a user-supplied value which is set by the browser or another user-agent. It should not be possible to spoof the Referer in an Ajax request, but some browsers seem to allow it (Firefox does not).

An attack on this is quite unlikely. However if the attacker manages to manipulate the Referer, the victim will be redirected to another site. This site may install malicious software on the victim's computer through browser security holes. Or it could be a phishing site that asks the victim to enter his username and password.

Then I saw comment #11 which suggests to put the referer into a hidden field:

<%= hidden_field_tag :referer, (params[:referer] || request.env['HTTP_REFERER']) %>

The hidden_field_tag method automatically escapes the value, so it is not vulnerable to XSS. However, be aware of XSS if you use the params otherwise.

More important is that you would use redirect_to params[:referer]. This is a very nice redirector for any URL you like. If the attacker sets the params[:referer] value by supplying the parameter to the site with the hidden_field_tag from above, the victim will be redirected to any desired page:

http://www.yourapplication.com/controller/action?referer=http://www.malicious.tld

Header Injection

Then there is a another problem with user-supplied values in the HTTP headers: Header Injection. It seems that Ruby/Rails does not sanitize the parameter passed to redirect_to. That means the user may set any header field he likes:

http://www.yourapplication.com/controller/action?referer=http://www.malicious.tld%0a%0dX-Header:+Hi!

Note that "%0d%0a" is URL-encoded for "\r\n" which is a carriage-return and line-feed in Ruby. So the resulting HTTP header will be:

HTTP/1.1 302 Moved Temporarily
(...)
Location: http://www.malicious.tld
X-Header: Hi!

And even if you allow the user to supply only parts of the target URL, the attacker may still overwrite the Location header field (and thus redirect to any site he wants):

http://www.yourapplication.com/controller/action?referer=path/at/your/app%0aLocation:+http://www.malicious.tld

Response Splitting

As Header Injection is possible, Response Splitting might be, too. In HTTP, the header block is followed by two carriage-return, line-feeds (CRLF) and the actual data (usually HTML). The idea of Response Splitting is to inject two CRLFs, followed by another response with malicious HTML. The response will be:

HTTP/1.1 302 Found [First standard 302 response]
Date: Tue, 12 Apr 2005 22:09:07 GMT
Location:
Content-Type: text/html

HTTP/1.1 200 OK [Second New response created by attacker begins]
Content-Type: text/html

<html><font color=red>hey</font></html> [Arbitary input by user is shown as the redirected page]
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Read the original article here. Under certain circumstances this would present the malicious HTML to the user. However, this seems to work with Keep-Alive connections, only (and many browsers are using one-time connections). But you can't rely on this. In any case this is a serious bug, and you should update your Rails to version 2.0.5 or the soon-to-be-released 2.1.2.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (24)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: dc comic cap
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    855 You will want nine dim strips and eight white strips to the weave. The sole constant that is still inside our children's lives, calendar year in, 12 months out, lv handbag browns appears to be to get their more or less phobic distaste for walking.
  • Response
    Response: bmi chart
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Dani
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Response: dumpsters
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Response: make free blog
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Response: Suggested Browsing
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Response: JVzoo
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting
  • Response
    Response: losing Weight
    Ruby on Rails Security Project - Journal - Header Injection And Response Splitting

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>