HTTP Splitting - attack that use improper input validation. It usually targets web application located behind Nginx (HTTP Request Splitting) or its users (HTTP Response Splitting).
Vulnerability is created when an attacker can insert newline character \n or \r into request or into response, created by Nginx.
You should always pay attention to:
- variables that are used in directives, responsible for the request creation (for they may contain CRLF), e.g.
rewrite,return,add_header,proxy_set_headerorproxy_pass; $uriand$document_urivariables, and in which directives they are used, because these variables contain decoded URL-encoded value;- variables, that are selected from an exclusive range, e.g.
(?P<myvar>[^.]+).
An example of configuration that contains variable, selected from an exclusive range:
server {
listen 80 default;
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
return 200 "OK";
}
}Exploitation:
GET /v1/see%20below%0d%0ax-crlf-header:injected.json HTTP/1.0
Host: localhost
HTTP/1.1 200 OK
Server: nginx/1.11.10
Date: Mon, 13 Mar 2017 21:21:29 GMT
Content-Type: application/octet-stream
Content-Length: 2
Connection: close
X-Action: see below
x-crlf-header:injected
OKAs you can see, an attacker could add x-crlf-header: injected response header. This was possible because:
add_headerdoesn't encode or validate input value on suggestion that author knows about the consequences;- the path value is normalize before location processing;
$actionvalue was given from a regexp with an exclusive range:[^.]*;- as the result,
$actionvalue is equal tosee below\r\nx-crlf-header:injectedand on its use the response header was added.
- try to use safe variables, e.g.
$request_uriinstead of$uri; - forbid the use of the new line symbol in the exclusive range by using
/some/(?<action>[^/\s]+)instead of/some/(?<action>[^/]+ - it could be a good idea to validate
$uri(only if you're sure you know what are you getting into).