HTTP Header Injection
HTTP Header Injection
In this post, we take a look at this rather nasty injection attack, and how developers can prevent these types of attacks in their web applications.
Join the DZone community and get the full member experience.Join For Free
Injections are vulnerabilities that occur when an application provides no or a bad user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such vulnerabilities may result in the major SAP risks ( Espionage, Sabotage, and Fraud).
We continue considering Injections from the list that we discussed in our Introduction to Secure ABAP Development Guide.
Earlier we spotlighted the following subtypes of Injections:
Now it's HTTP Header Injection's turn.
HTTP Header Injection is a vulnerability which appears when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on a user input. For example, in ABAP the
set_cookie method of the
IF_HTTP_ENTITY class is used for setting a cookie to a browser. If data comes from an untrusted source to a cookie response, it will be possible for an attacker to manipulate a user cookie.
DATA: url TYPE STRING. url = request->get_form_field( 'url' ). IF url IS NOT INITIAL. response->redirect( url ). navigation->response_complete( ). ENDIF. author = request->get_form_field( 'author' ). response->set_cookie( name = 'author' value = author ).
In this case, the data specified by user passes from a request directly to the
set_cookie method without filtering. The attacker will be able to take over the user's session and perform actions on his behalf or gain access to sensitive information. It may lead to serious business risks including espionage or fraud.
The best remediation for this vulnerability is to avoid storing any confidential data in a cookie. System IDs, hostnames, and non-public IP addresses of target servers can become a target of an attack. If storing such information in a cookie is necessary for your system, use a hash procedure for one-way encryption. In addition, in order to improve the general security level of the system, set the
icm/HTTP/logging_0 parameter as
LOGFILE=path_to_file to perform the HTTP-requests logging.
Use authority checks to increase the security of your code. It does not guarantee the complete safety as of injections, but it can sometimes prevent attacks. For example, check user access rights before the execution of
INSERT REPORT. For this purpose, use the
AUTHORITY-CHECK OBJECT 'S_DEVELOP' ID 'ACTVT' FIELD '02' ID 'DEVCLASS' FIELD devclss ID 'OBJNAME' FIELD objname ID 'OBJTYPE' FIELD 'PROG' ID 'P_GROUP' FIELD *. IF sy-subrc <> 0. LEAVE PROGRAM. ENDIF. APPEND u_input TO src. INSERT REPORT prg_name FROM src.
'ACTVT' is for operations that a user is allowed to execute. Value
'02' means that a user has rights to change the program.
This is all for today and we hope the article has clarified all your questions concerning HTTP Header Injection
Published at DZone with permission of Alexander Polyakov , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.