HTTP Response Splitting

  • CWE 113
  • WASC 25
  • PCI 3.2-6.5.1
  • OWASP 2013-A1

HTTP Response Splitting occurs when an application improperly handles untrusted input in HTTP headers, allowing attackers to inject carriage return (\r) and line feed (\n) characters to create additional HTTP responses. This can lead to cache poisoning, cross-site scripting (XSS), malicious redirects, and session fixation. The vulnerability typically arises from insufficient input validation when dynamically generating HTTP headers such as Location, Set-Cookie, or custom headers.

Common patterns leading to HTTP Response Splitting:

  • Using user-supplied input directly in HTTP headers without encoding or validation.
  • Applications that generate Location headers for redirects from query parameters.
  • Concatenating input into headers such as Set-Cookie, WWW-Authenticate, or custom headers.
  • Lack of proper sanitization to remove CR (\r) and LF (\n) characters.

Impacts:

  • Cache Poisoning: Malicious responses may be stored in caches and served to other users.
  • Cross-Site Scripting (XSS): Injected headers can result in script execution in victim browsers.
  • Session Fixation: Attackers can manipulate cookies to hijack user sessions.
  • Phishing and Redirection: Users can be redirected to malicious sites through manipulated headers.

Detection indicators:

  • Headers containing unexpected line breaks or multiple HTTP responses from a single request.
  • User input reflected in HTTP headers without encoding.
  • Automated security scanners flagging potential header injection points.
Remediation

Mitigation focuses on proper input validation, encoding, and secure header construction:

  1. Validate and Encode User Input
    Reject or properly encode CR (\r) and LF (\n) characters in any input used in headers.

  2. Use Framework-Provided APIs
    Rely on secure methods provided by web frameworks for setting headers, which handle encoding automatically.

  3. Sanitize Redirects and Cookies
    Ensure values used in Location headers and Set-Cookie headers are properly sanitized.

  4. Implement Input Whitelisting
    Only allow expected characters for header-related inputs. Avoid arbitrary user input in headers.

  5. Monitor and Log HTTP Responses
    Detect anomalies in HTTP headers and responses that may indicate exploitation attempts.

  6. Security Testing
    Include HTTP Response Splitting scenarios in penetration testing and automated scans.

  7. Educate Developers
    Train developers on secure header management practices to avoid injection vulnerabilities.

References
Go Back to List

Search Vulnerability

You may also see