Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is PHP immune to "HTTP Response Splitting" vulnerabilities?

<?php
setcookie('test', "test\r\n<script>alert(1)</script>");
echo 1;

But it turns out PHP automatically does the encoding:

Set-Cookie: test=test%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Does that mean it's impossible to reproduce HTTP response splitting in PHP?

like image 213
cpuer Avatar asked Jun 09 '11 03:06

cpuer


People also ask

Is a response splitting attack possible?

A response splitting attack is possible only if there is a proxy server which multiple users use to connect to various websites. The cache of the proxy server is poisoned and the user becomes a victim whenever the proxy cache serves that page.

What is HTTP response splitting attack?

HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.


1 Answers

From the linked Wikipedia article:

[...] Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2. [1]

header and setcookie contain mitigations against response/header splitting. It's not possible.

like image 141
mario Avatar answered Oct 12 '22 02:10

mario