HTTP Response Splitting
Description
HTTP Response Splitting is a vulnerability where Carriage Return (CR) and Line Feed (LF) characters are introduced into an HTTP header from user-supplied input. By injecting the CRLF character sequence, an adversary could potentially modify how the response is interpreted by the client or any downstream caching services. This could allow an adversary to poison the cache data or execute Cross-Site Scripting (XSS) attacks.
Examples
Insecure Code
java
($X.servlet.http.HttpServletResponse $RES).setHeader("Location", request.getParameter("redirect"));Secure Code
java
public void validateHeader(String value) throws IllegalArgumentException {
char[] chars = value.toCharArray();
for (int i = 0; i < chars.length; i++) {
char c = chars[i];
if (c < 0x21 || c == '"' || c == ',' || c == ';' || c == '\\' || c == 0x7f) {
throw new IllegalArgumentException("Invalid character in cookie detected: " + Integer.toString(c));
}
}
}
public String escapeValue(String value) {
return StringEscapeUtils.escapeJava(value);
}Remediation
Validate user-supplied input used in header keys or values to only allow valid characters, or use a string escape package such as Apache Commons Text to escape the input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0683 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-113 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | HTTP Response Splitting, CRLF Injection, XSS |
| OWASP | A1:2017-Injection, A03:2021-Injection |