Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

普及度

中

3 言語をカバー

影響度

ハイ

2 件の重大度ハイのルール

予防

文書化済み

3 件の修正例

2 予防

この脆弱性の修正方法

3 件の Shoulder 検出ルールに基づく HTTP Response Splitting の予防策。

🐹 Go すべて表示 Go 詳細 →

HTTP Header Injection MEDIUM

Strip CRLF characters from user input before setting HTTP headers

+15 -6 go

  package main
  
- import "net/http"
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     lang := r.URL.Query().Get("lang")
-     // Vulnerable: user input set as header value
-     w.Header().Set("Content-Language", lang)
+ import (
+     "net/http"
+     "strings"
+ )
+ 
+ func sanitizeHeaderValue(s string) string {
+     s = strings.ReplaceAll(s, "\r", "")
+     s = strings.ReplaceAll(s, "\n", "")
+     return s
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     lang := r.URL.Query().Get("lang")
+     // Safe: CRLF characters stripped
+     w.Header().Set("Content-Language", sanitizeHeaderValue(lang))
      w.Write([]byte("OK"))
  }

🐍 Python すべて表示 Python 詳細 →

HTTP Header Injection HIGH

Strip CRLF characters from user input before using in HTTP headers

+12 -7 python

- from flask import request, make_response
- 
- @app.route('/download')
- def download():
-     filename = request.args.get('filename')
-     response = make_response("content")
-     response.headers['Content-Disposition'] = f'attachment; filename="{filename}"'
+ import re
+ from flask import request, make_response
+ 
+ def sanitize_header(value):
+     return re.sub(r'[\r\n]', '', str(value))
+ 
+ @app.route('/download')
+ def download():
+     filename = request.args.get('filename', '')
+     safe_filename = sanitize_header(filename)
+     response = make_response("content")
+     response.headers['Content-Disposition'] = f'attachment; filename="{safe_filename}"'
      return response

3 検出

コードの脆弱性を見つける

Shoulderを使用してコードのImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')パターンをスキャンしましょう。 3 ルール.

ターミナル

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=113

# Or scan entire project
npx @shoulderdev/cli trust .

検出ルール (3)

🐹 Go 1 rules

HTTP Header Injection MEDIUM

Detects user input flowing to HTTP headers without CRLF sanitization.

🟨 Javascript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🔷 Typescript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🐍 Python 1 rules

HTTP Header Injection HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

4 警告サイン

コードレビューで注目すべき点

これらのパターンはImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')の潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。

🟠

user input flowing into HTTP response headers without CRLF sanitization javascript-header-injection

🟡

user input flowing to HTTP headers without CRLF sanitization go-header-injection

🔍

コードベースをスキャン: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。

npx shoulder trust すべてのルールを表示