Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

Prevalencia

Media

3 lenguajes cubiertos

Impacto

Alto

2 reglas de severidad alta

Prevención

Documentada

3 ejemplos de corrección

2 Prevención

Cómo corregir esta vulnerabilidad

Estrategias de prevención para HTTP Response Splitting basadas en 3 reglas de detección de Shoulder.

🐹 Go Ver todo Go detalles →

HTTP Header Injection MEDIUM

Strip CRLF characters from user input before setting HTTP headers

+15 -6 go

  package main
  
- import "net/http"
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     lang := r.URL.Query().Get("lang")
-     // Vulnerable: user input set as header value
-     w.Header().Set("Content-Language", lang)
+ import (
+     "net/http"
+     "strings"
+ )
+ 
+ func sanitizeHeaderValue(s string) string {
+     s = strings.ReplaceAll(s, "\r", "")
+     s = strings.ReplaceAll(s, "\n", "")
+     return s
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     lang := r.URL.Query().Get("lang")
+     // Safe: CRLF characters stripped
+     w.Header().Set("Content-Language", sanitizeHeaderValue(lang))
      w.Write([]byte("OK"))
  }

🐍 Python Ver todo Python detalles →

HTTP Header Injection HIGH

Strip CRLF characters from user input before using in HTTP headers

+12 -7 python

- from flask import request, make_response
- 
- @app.route('/download')
- def download():
-     filename = request.args.get('filename')
-     response = make_response("content")
-     response.headers['Content-Disposition'] = f'attachment; filename="{filename}"'
+ import re
+ from flask import request, make_response
+ 
+ def sanitize_header(value):
+     return re.sub(r'[\r\n]', '', str(value))
+ 
+ @app.route('/download')
+ def download():
+     filename = request.args.get('filename', '')
+     safe_filename = sanitize_header(filename)
+     response = make_response("content")
+     response.headers['Content-Disposition'] = f'attachment; filename="{safe_filename}"'
      return response

3 Detección

Encuentra vulnerabilidades en tu código

Usa Shoulder para escanear tu código en busca de patrones Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'). 3 reglas.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=113

# Or scan entire project
npx @shoulderdev/cli trust .

Reglas de Detección (3)

🐹 Go 1 rules

HTTP Header Injection MEDIUM

Detects user input flowing to HTTP headers without CRLF sanitization.

🟨 Javascript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🔷 Typescript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🐍 Python 1 rules

HTTP Header Injection HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

4 Señales de Alerta

Qué buscar en las revisiones de código

Estos patrones indican vulnerabilidades potenciales de Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'). Búscalos durante las revisiones de código y auditorías de seguridad.

🟠

user input flowing into HTTP response headers without CRLF sanitization javascript-header-injection

🟡

user input flowing to HTTP headers without CRLF sanitization go-header-injection

🔍

Escanea tu base de código para Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Shoulder CLI encuentra patrones vulnerables en toda tu base de código.

npx shoulder trust Ver todas las reglas