The Ktor Coroutine based I/O Server implementation io.ktor.client.engine.cio.CIO
is vulnerable to HTTP Response Splitting.
This vulnerability is fixed in Ktor version 1.2.6
.
The POC below shows a simple server that takes a user provided value and reflects that value back in a custom header. This POC demonstrates how an attacker could abuse this to supply their own response thus enabling a variety of other attack vectors, in this case allowing the attacker to perform XSS and leak potentially sensitive header values.
If a user of the Ktor library is taking some user-provided input and that input is inserted into a header value, that can be abused to facilitate this attack.
It's also possible to abuse this vulnerability if accepting untrusted user data for the call.respondRedirect
method.
See the CWE linked above for a more detailed explainations of these:
- Cross-User Defacement
- Cache Poisoning
- Cross-Site Scripting (XSS)
- Page Hijacking