Dark Web Crypto Mixer Founder Sentenced to Over 12 Years for Money Laundering

November 14, 2024

Global Сybercrime Сrackdown Takes Down Over 22K Malicious IPs And Servers

November 7, 2024

REvil Gang Members Sentenced

October 31, 2024

US Cop Indicted Over Buying Stolen Data

October 24, 2024

Notorious hacker ‘USDoD’ arrested in Brazil

October 17, 2024

OWASP Top 10

OWASP Top 10: Broken Access Control Practical Overview

March 9, 2021

OWASP Top 10: Cryptographic Failures Practical Overview

February 8, 2021

OWASP Top 10: Injection Practical Overview

January 11, 2021

OWASP Top 10: Insecure Design Practical Overview

October 18, 2021

OWASP Top 10: Security Misconfiguration Practical Overview

March 22, 2021

OWASP Top 10: Vulnerable and Outdated Components Practical Overview

May 10, 2021

OWASP Top 10: Identification and Authentication Failures Practical Overview

January 25, 2021

OWASP Top 10: Software and Data Integrity Failures Practical Overview

October 18, 2021

OWASP Top 10: Security Logging and Monitoring Failures Practical Overview

May 24, 2021

OWASP Top 10: Server-Side Request Forgery Practical Overview

October 18, 2021

CWE Glossary

CWE is a trademark of the MITRE Corporation.

ImmuniWeb > CWE Knowledge Base > HTTP Response Splitting [CWE-113]

HTTP Response Splitting [CWE-113]

HTTP Response Splitting weakness describes improper neutralization of CRLF sequences in HTTP headers.

Created: September 11, 2012
Latest Update: December 28, 2020

Table of Content

Description
Potential impact
Attack patterns
Affected software
Severity and CVSS Scoring
Mitigations
Vulnerability Remediation Techniques and Examples
Common Fix Errors and Bypasses
References

Want to have an in-depth understanding of all modern aspects of
HTTP Response Splitting [CWE-113]? Read carefully this article and bookmark it to get back later, we regularly update this page.

1. Description

This weakness occurs when software accepts data from an upstream provider, but does not neutralize or incorrectly neutralizes CR and LF characters before including data into HTTP response headers. This provides an attacker with ability to inject arbitrary headers into the HTTP response, which is sent to a client. As a result an attacker might be able to modify contents of the HTTP response by means of unexpected CR (carriage return - %0d or \r) and LF (line feed - %0a or \n) characters and send to the browser two different HTTP responses instead of one. The attacker, who controls the second HTTP response, can perform different attacks such as cache poisoning and cross-site scripting.

HTTP response splitting might occur when an application receives data from an untrusted source, such as HTTP request, or when data is not validated before sending it back to the client in HTTP response. Modern programming languages have built-in protection mechanisms against HTTP response splitting that do not allow sending more than one response header to client browser, so the HTTP response splitting attack is possible only when application uses untrusted input to construct headers.

1.1 PERL

The following example works with PERL and demonstrates the vulnerable code:

use CGI qw(:standard);
my $value = param('cookie');
print "Content-type: text/plain\n";
print "Set-Cookie: cookie=$value\n";

The example below redirects users to the address passed via the "page" parameter. The client sends the following header and receives the HTTP 302 response:
GET /test.pl?page=/index.html HTTP/1.1 HOST: testhost.local Referer: testhost.local ACCEPT: */* Accept-Encoding: None User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Connection: Close Accept-Transfer-Encoding: None HTTP/1.1 302 Found Date: Fri, 07 Sep 2012 17:02:45 GMT Server: Apache Location: /index.html Content-Length: 0 Connection: close Content-Type: text/html; charset=Windows-1252

If an attacker sends CRLF characters to vulnerable "page" parameter, he can split the header and make the client browser execute arbitrary HTML and script code:
GET /test.pl?page=%0d%0aContent-Type: text/html%0d%0aHTTP/1.1 200 OK%0d%0aContent-Type: text/html%0d%0a%0d%0a%3Chtml%3E%3Cfont color=red%3ECSRF%3C/font%3E%3C/html%3E HTTP/1.1 HOST: testhost.local Referer: testhost.local ACCEPT: */* Accept-Encoding: None User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Connection: Close Accept-Transfer-Encoding: None

1.2 ASP.NET

With ASP.NET 2.0 this attack is almost impossible, because the "\r\n" sequences are disallowed by default in methods that involve HTTP response headers. It is possible though to turn off HTTP response splitting protection by disabling the "enableHeaderChecking" option in web.config. Make sure this option is set to true.

1.3 PHP

PHP is not vulnerable to HTTP response splitting since version 5.1.2.

1.4 NodeJS

NodeJS is not vulnerable to HTTP response splitting since versions 5.6.0, 4.3.0, 0.12.10, 0.10.4.

2. Potential impact

An attacker might be able to perform cross-site scripting, phishing and cache poisoning attacks. This weakness is a significant threat for high load servers that use caching proxies to deliver content to the end-users. One request sent by an attacker can be cached and displayed to all visitors of a webpage. As a result, an attacker might be able to gain access to potentially sensitive data and perform different attacks against website users.

3. Attack patterns

CAPEC has the following patterns for this weakness:

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-34: HTTP Response Splitting
CAPEC-63: Simple Script Injection
CAPEC-85: Client Network Footprinting (using AJAX/XSS)

This weakness is described in WASC classification as four separate techniques:

4. Affected software

Any software that uses input data to construct headers is potentially vulnerable to this weakness. In most cases these are web applications, web servers, caching proxies.

5. Severity and CVSS Scoring

Depending on potential damage this weakness could impact integrity of the application and is usually scored as:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N] – Medium severity.

6. Mitigations

All input passed to the application must be considered untrustworthy and should be handled as such. Use a good known input validation strategy based on whitelists to construct headers and do not rely exclusively on looking for malicious or malformed inputs. All input should be decoded and canonicalized to the application's current internal representation.

7. Vulnerability Remediation Techniques and Examples

PHP

Usage of the header() function for HTTP headers output is safe in modern PHP versions.

PERL

$param=~s/[\r\n]//gi;

ASP.NET

With ASP.NET 2.0 this attack is impossible, the "\r\n" sequences are disallowed by default.

Python

param = re.sub("[^\\n\\r]+", "_", param)

JAVA/JSP

url = url.replaceAll("\\n\\r","");
response.sendRedirect(url);

NodeJS

The ‘http’ module containing functions to deal with HTTP header output contains fixes for previously discovered HTTP response splitting vulnerabilities.

These are general recommendations. Every case must be treated separately.

Caution: do not blindly copy-paste the above-mentioned solutions into your application code. In some cases this may result in incorrect behavior of the application or inconsistent patch. Carefully read the References or consult security specialists in case you are not sure how to patch a vulnerability.

8. Common Fix Errors and Bypasses

Attackers can use different character encoding to bypass certain filters:

Double URL Encoding	%250d%250a
UTF-8	%E5%98%8A%E5%98%8D
UTF-16	0x000A 0x000D
Various URL Character Codes	/%2f..%0d%0a

9. References

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') [cwe.mitre.org]
HTTP Response Splitting [www.owasp.org]
HTTP Response Splitting Attack [resources.infosecinstitute.com]
Introduction to HTTP Response Splitting [www.securiteam.com]

Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.

↑ Back to Top

57.5k
73
60
97
30
More
54
71