CAPEC-34

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
HTTP Response Splitting

Description

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site. See CanPrecede relationships for possible consequences.

Prerequisites

A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).

Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.

HTTP headers capable of being user-manipulated.

HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses.

Mitigations

Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.

Configuration: front-end HTTP agents notice ambiguous requests.

Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.

Configuration: Disable reuse of back-end connections.

Configuration: Use HTTP/2 for back-end connections.

Configuration: Use the same web server software for front-end and back-end server.

Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.

Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)

Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.

Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input.

Skills Required

[Medium] Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers.

[Medium] Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers.

[Medium] Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers.