HTTP Attacks - HTTP Response Splitting

I’ am stuck for several days on HTTP Response Splitting section. I tried everything with Burp and many times URL encoding. I tried all the tricks from module "Cross-Site Scripting (XSS), even with xsstrike.py etc. But no success. Please help.

hello bro Is there any progress? I’m stuck at the same place.

No sorry, I skipped this question for now

okey you will let me figure out the question

I finished now the module HTTP Attacks except for “HTTP Response Splitting”. ???

Hopefully this will help and won’t be considered spoiler.

Firstly, you should craft your payload with the “target” GET parameter and only then try to pwn the admin.

Look at the headers you get back, there’s a new one that was not present in the example’s response.
How does it change the browser behavior? How can you bypass it or force your way over it? (:

btw I got some issues with Firefox, maybe try your payloads with other browsers as well

1 Like

Thanks a lot. I noticed the difference and saw that the response did not handle the html code in the right way. (Pretty was grey). With your remarks I managed to bypass this.
I ran into the same problem using Firefox. With Chromium it was solved…
now finding the admin user’s cookie…

The webpage does not have any cookies!!! ???

Still stuck. Please anyone for a hint?

Did you figure it out? I did not, so if you are let me know please.

there is a log function on the website you can use to grab the cookie by putting it on a get request parameter :slight_smile:

Thanks. I finished.

Log Injection

I’m stuck on the first question. Can you help me? I put a web shell in the email pane or other panes in base64 urlencode format or ascii but it always blocks it. I can’t get the full version in the log section.

I have some questions for you in HTTP Attacks can you give me your discord address or something to contact you

Sorry to be annoyance, but could you give a hint for the log function usage? It should be simple, finished all sections in the module, really stuck on this one.

I dont fully remeber but i think it involves the /log endpoint. The requests to /?admin are logged in /log, have the XSS make a request to /?admin on the webserver containing the cookie. This will then get logged in /log

1 Like

Hello

Unfortunately, I’m also stuck on this :frowning: I get the XSS for myself, but I can’t display in the log

My payload works with the target parameter (tested it with document.domain instead of document.cookie since normal user does not have any cookies) but having trouble delivering it via the admin parameter. The triple URL encoding is very annoying.

Any tips?

1 Like

Took me awhile but got it working. The pieces I had to put together are:

  1. The HTTP protocol needs a specific header to tell the browser the text after all the headers must be interpreted as html. So in the request the admin does, this header needs to be present

  2. You can read cookies with javascript, so the body of the http request must have a javascript code that a) reads a cookie, b) writes it to the log (remember how do you write things in the log?)

  1. An http response with code 302 will redirect you to the url in the location header, unless this header is empty

So basically you need the admin to go to one page that returns 302, with an empty location header, add the right header, put in the body a javascript that does what you need

I didnt have to do any double encodings with this technique tough, dont know what technique needs double encoding
Hope that helps

2 Likes

Have you solved this one? I have the same issue, got it to work for a user but doing the same for an admin has yielded no results. Tried tweaking in multiple ways without luck.