Sep 1, 2009

Multiple CRLF Injection / HTTP Response Splitting Vulnerabilities In Google AdWords

Descriptions:

Google AdWords is vulnerable to a new form of application attack technique called HTTP Response
splitting (aka CRLF Injection). HTTP Response Splitting enables an attacker to alter the HTTP
response header structure which can leads to various range of attacks such as web cache poisoning,
temporary defacement, hijacking pages or cross-site scripting (XSS). This happens since the user input is
injected into the value section of http header without properly escaping/removing CRLF characters
which can leads to two HTTP responses instead of one response.

II. Affected Links:

GET /select/ProfessionalWelcome?hl=%0d%0afakeheader&null=Go HTTP/1.0
GET /select/Login?hl= hl=%0d%0afakeheader&null=Go HTTP/1.0
Proof-of-concept:
[Request Details]
Screenshot a: Custom HTTP response added to “hl” parameter
  [Response Header]
 
Solution:
Sanitize CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent
the injection of custom.
-----
Vendor Name: Google
Product Name: Google AdWords (https://adwords.google.com/)
----------
# ITS ©
# 2008 - 2009

No comments:

Post a Comment