Reflected Value in HTTP Header

  • CWE 113

Reflected Value in HTTP Header occurs when user-supplied input is inserted into HTTP headers without proper validation or encoding. This can lead to vulnerabilities such as HTTP Response Splitting, Cross-Site Scripting (XSS), or cache poisoning. Attackers can manipulate header values to inject malicious content, modify response behavior, or exploit clients and intermediaries.

Common patterns leading to reflected header injection:

  • Directly including query parameters, cookies, or form input in response headers.
  • Lack of sanitization or validation of newline or control characters.
  • Using user input in headers such as Location, Set-Cookie, X-Forwarded-For, or Referer.
  • Failure to encode special characters in header values.

Impacts:

  • HTTP Response Splitting: Injected headers can create additional responses, enabling cache poisoning or session fixation.
  • Cross-Site Scripting: Malicious payloads in headers may be reflected in HTML pages.
  • Cache Poisoning: Proxies may store and serve manipulated responses to other users.
  • Denial of Service: Malformed headers can disrupt client processing or server behavior.

Detection indicators:

  • HTTP responses containing user input in header fields.
  • Security scanners detecting injection points in Location, Set-Cookie, or other headers.
  • Unexpected line breaks or additional headers in responses based on user input.
Remediation

Mitigation focuses on proper validation, encoding, and secure header management:

  1. Validate and Sanitize Input
    Reject or properly encode input containing CRLF or control characters before including in headers.

  2. Use Framework Functions for Header Management
    Avoid manual concatenation; use built-in functions that handle encoding securely.

  3. Implement Output Encoding
    Encode values appropriately to prevent header injection or XSS.

  4. Restrict Header Reflection
    Avoid reflecting user input unnecessarily in HTTP headers.

  5. Monitor and Audit HTTP Responses
    Regularly check headers for unexpected or malformed values.

  6. Security Testing
    Include HTTP header injection tests and response splitting checks during penetration testing.

  7. Educate Developers
    Train development teams on safe handling of user-supplied data in headers.

References
Go Back to List

Search Vulnerability

You may also see