Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is EnableHeaderChecking=true enough to prevent Http Header Injection attacks?

Tags:

security

asp.net

iis

fortify

Is it sufficient to have [System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking](http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.enableheaderchecking(VS.85).aspx) set to true (default) to fully prevent Http Header Injection attacks like Response Splitting etc.?

I'm asking because a white box penetration testing tool (fortify) reports exploitable http header injection issues with HttpResponse.Redirect and cookies but I haven't found a way to successfully perform an attack. (edit:..and we have EnableHeaderChecking turned on..)

like image 481
Josef Pfleger Avatar asked May 15 '09 15:05

Josef Pfleger

People also ask

What is HTTP header injection attack?

HTTP header injection is a technique that can be used to facilitate malicious attacks such as cross-site scripting, web cache poisoning, and more. These, in turn, may lead to information disclosure, use of your application in phishing attacks, and other severe consequences.

Which HTTP header in the application enables the injection vulnerability?

Description: HTTP response header injection HTTP response header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way.

Is vulnerable to HTTP Host header injection?

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior.

Can Host header be spoofed?

However, if a web-server relies on the supplied value of the Host header, a malicious user can provide a spoofed value to generate misleading links on your website and in transactional emails.

2 Answers

I've been looking at this for some time now and draw the conclusion that setting EnableHeaderChecking to true is in fact good enough to prevent http header injection attacks.

Looking at 'reflected' ASP.NET code, I found that:

  1. There is only one way to add custom HTTP headers to an HTTP response, namely using the HttpResponse.AppendHeader method
  2. HttpResponse.AppendHeader either
    • creates instances of HttpResponseHeader (internal)
    • or calls HttpResponseHeader.MaybeEncodeHeader (for IIS7WorkerRequests)
    • or assigns its respective properties (for known headers like RedirectLocation or ContentType)
  3. HttpResponseHeader instances are created before known headers like RedirectLocation or ContentType are sent (HttpResponse.GenerateResponseHeaders)
  4. The HttpResponseHeader constructor checks the EnableheaderChecking setting and calls HttpResponseHeader.MaybeEncodeHeader when set to true
  5. HttpResponseHeader.MaybeEncodeHeader correctly encodes newline characters which makes HTTP header injection attacks impossible

Here is a snippet to roughly demonstrate how I tested:

// simple http response splitting attack
Response.AddHeader("foo", "bar\n" + 
    // injected http response, bad if user provided
    "HTTP/1.1 200 OK\n" + 
    "Content-Length: 19\n" +
    "Content-Type: text/html\n\n" +
    "<html>danger</html>"
);

The above only works if you explicitly turn EnableHeaderChecking off:

<httpRuntime enableHeaderChecking="false"/>

Fortify simply doesn't take configuration into account (setting EnableHeaderChecking explicitly had no effect) and thus always reports these type of issues.

like image 111
Josef Pfleger Avatar answered Sep 20 '22 05:09

Josef Pfleger

AFAIK it's enough and it should be turned on by default.

I think Fortify is just thinking about defence in depth as if you change the configuration in the deployment etc.

I assume you did not strictly set it on in your configuration, if you have maybe Fortify is not that smart to figure that our.

Best way to confirm is exploiting it :)

  • Just get a copy of fiddler
  • Intercept the request
  • Try to inject new line
  • See if the new line you've just injected is in the HTTP response or not.
like image 26
dr. evil Avatar answered Sep 22 '22 05:09

dr. evil
Sign in to Comment

Related questions

Download function failing with big file sizes
integrate CMS with an existing ASP.NET web site
New Azure Distributed Cache for Azure Websites in Reserved Instance Mode
Sending a javascript array to code behind(c#) using ajax
How do you force the IIS Application Pool to restart whenever the App Domain is reloaded?
Error with Entity Framework: AcceptChanges cannot continue because the object's key values conflict with another object in the ObjectStateManager
does not implement interface member
static variable lifetime and application pool recylcing
MultipartFormDataStreamProvider Cleanup
How to prevent long running requests in an IIS worker process?
ASP.Net MVC Alternative Login to identity
How to display file upload progress in progressbar - Amazon S3 bucket
Intermittent crash of w3wp.exe with ThreadAbortException after .NET 4.6 upgrade
ASP.NET 4.6 doesn't turn response in HTTP2 (azure website)
Potentially wrong and annoying message: “This project uses SQL Server Express LocalDB”
Pass Additional ViewData to DisplayFor Template
Is current request being made over SSL with Azure deployment
In ASP.net core Identity (UserManager & SignInManager) is it possible to ban a user immediately?
Popup bootstrap model on GridView edit click using RowCommand event
Getting an object back from my GridView rows

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!