Tricking Web Apps into Running Malicious Code

Whenever you’re online, you connect to a server that responds to your requests. Depending on the defenses, the web application you use may be vulnerable to injection types of attacks. Among the most prominent are XSS and SQL injection; another one is known as HTTP response splitting.

A web application and a server communicate through the HTTP protocol, with each request receiving a response and the demanded content, if available. A summary of the transaction is available in entries called headers, separated by two characters with names borrowed from the world of typewriters: CR (carriage return) and LF (line feed). These two markers also separate the content from the server.

A hacker who can insert a sequence of CRLF characters into the HTTP stream could modify the response header, splitting it to include malicious content. If the application that makes the request is vulnerable, it could run the code from the hacker and perform unauthorized actions on a connected device. HTTP response splitting is just an intermediate step for attackers to achieve their goal. One consequence is cross-site scripting (XSS), which can have devastating results on an IoT gadget, including remote control with elevated privileges.

To take advantage of this flaw, an attacker could create a link that contains malicious code and send it to a user running a vulnerable app. The hacker can hide the link in a component on a web page, such as a button or clickable image, so the user remains unaware.

Protecting against HTTP response splitting is not difficult. The shortest way is to prevent user input that contains CRLF characters. Other methods exist, but none are something an end user can do, so fixing the problem is in the hands of the developers. You can, though, make sure that your IoT devices have the latest update from the manufacturer.

Identifying vulnerable connected gadgets on the home network is no longer a job for the tech-savvy. Any user can install Bitdefender Home Scanner to check their network for devices with known security risks. It identifies the gadget and informs you of vulnerabilities in their current firmware version.

Active protection comes with Bitdefender BOX, a hardware tool that monitors the connections to and from the local network and blocks any communication to malicious online locations. Its defense covers all IoT devices in your home and all computers, regardless of the operating systems they run.

Source: Bitdefender Blog