Tuesday, April 10, 2007

It can't be done

I feel that I'd be remiss in my duties if I didn't respond to my previous post on Preventing HTTP response splitting with request/response identifiers? with a clarification that it can't be done.

It reminds me of a scene from the movie Awakenings...

Dr. Malcolm Sayer: I was to extract one decagram of miolyn from four tons of earthworms.
Hospital Director: Really?
Dr. Malcolm Sayer: Yes. I was on that project for five years. I was the only one who believed in it, everyone else said it couldn't be done.
Dr. Kaufman: It can't.
Dr. Malcolm Sayer: I know that now, I proved it.

So, I proposed my little scheme for preventing HTTP Response Splitting and Amit Klein was nice enough to point out all of the flaws in my argument and scheme. I don't feel like a beaten man though. In all fairness the HTTP protocol and HTML are lacking a whole bunch of security features that makes certain attacks all but inevitable - or at least not preventable through architectural means...

Look for more crackpot security schemes here in the near future.

No comments: