Java: setCharacterEncoding NOT affected by HTTP Response Splitting

By YEHG -
<% 
String attacker_controlled_charset = "ISO-8859-1%0d%0aHacked-Response-Header: 1337";
response.setCharacterEncoding(attacker_controlled_charset);
%>


Comments

Post a Comment

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

By YGN Ethical Hacker Group -
Image
Update 2016/02: We were asked by a lot if this still works.  Shortly after our disclosure, this issue has been patched. ------ The Background - The Past Gaining access to  HttpOnly cookie  was first attempted by means of XST,  Cross Site Tracing  vulnerability. Soon after the popularity of XST, the TRACE method has been disabled by most web servers.  Later, browsers' implementation of XMLHttpRequest also blocked "TRACE" method (i.e.  xmlhttp.open('TRACE', url, true) ].  Later,  a flawed implementation in Firefox's  XMLHttpRequest which can be used to access set-cookie response header was fixed.   JS Debugger pointing out "TRACE" method as invalid arugment   JS Debugger pointing out "TRACE" method as illegal value A Sla.ckers.org forum member, LeverOne, posted ways to access HttpOnly cookie through the use of Java API and applet.  I reproduced his techniques. When the first method was tried, the Java Runtime did no
Read more

The important "expires" attribute of Set-Cookie

By YGN Ethical Hacker Group -
The Established Assumption It has been widely known about the "expires" attribute of Set-Cookie HTTP Response header in the following way.  Taken from OWASP Testing Guide: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002) *expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded.  This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires.  Once the expiration date has exceeded, the browser will delete the cookie.  Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends.  The Truth  Although setting without "expires" attribute is acceptable at first sight because of the browser's automatic cookie clean-up management, the cookie will stay active until the user manually closes the whole browser window, i.
Read more

HttpOnly Session ID in URL and Page Body | Cross Site Scripting

By YGN Ethical Hacker Group -
The Background We have been seeing authentication session ID appeared in URL Query String/REST URI and page body.  The use of session ID in Query String is to enable session tracking for web browsers which disable or do not support browser-based cookie mechanism.  This is commonly seen in Java web applications and cookieless mechanism in ASP.net web applications . From what we have seen so far, the session ID in page body is used as anti Cross Site Request Forgery token or anti-cache parameter though it is not very common. The Problem It should be noted that even though developers use the "HttpOnly" session cookie,  the above-mentioned  leakages of session ID in URL and page body nullify the effectiveness of "HttpOnly" flag.  This no doubt leads attackers to gain access to the HttpOnly session cookie via an Cross Site Scripting (XSS) vulnerability as JavaScript can read anything in the page body and URL information.
Read more