HTTP Response Splitting
Description
HTTP Response Splitting is a vulnerability where Carriage Return (CR) and Line Feed (LF) characters are introduced into an HTTP header from user-supplied input. By injecting the CR-LF character sequence, an adversary could potentially modify how the response is interpreted by the client or any downstream caching services. This could allow an adversary to poison the cache data or execute Cross-Site Scripting (XSS) attacks.
Examples
Insecure Code
java
new javax.servlet.http.Cookie("key", request.getParameter("value"));Secure Code
java
public void validateRfc6265CookieValue(String value) throws IllegalArgumentException {
char[] chars = value.toCharArray();
for (int i = 0; i < chars.length; i++) {
char c = chars[i];
if (c < 0x21 || c == '"' || c == ',' || c == ';' || c == '\\' || c == 0x7f) {
throw new IllegalArgumentException("Invalid character in cookie detected: " + Integer.toString(c));
}
}
}Remediation
Validate user-supplied input used in cookie keys or values to only allow valid characters, or use a string escape package such as Apache Commons Text to escape the input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0682 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-113 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | HTTP Response Splitting, CRLF injection, XSS |
| OWASP | A1:2017-Injection, A03:2021-Injection |