Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

보급률

보통

3개 언어 지원

영향

높음

2개의 높은 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 HTTP Response Splitting 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

HTTP Header Injection MEDIUM

Strip CRLF characters from user input before setting HTTP headers

+15 -6 go

  package main
  
- import "net/http"
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     lang := r.URL.Query().Get("lang")
-     // Vulnerable: user input set as header value
-     w.Header().Set("Content-Language", lang)
+ import (
+     "net/http"
+     "strings"
+ )
+ 
+ func sanitizeHeaderValue(s string) string {
+     s = strings.ReplaceAll(s, "\r", "")
+     s = strings.ReplaceAll(s, "\n", "")
+     return s
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     lang := r.URL.Query().Get("lang")
+     // Safe: CRLF characters stripped
+     w.Header().Set("Content-Language", sanitizeHeaderValue(lang))
      w.Write([]byte("OK"))
  }

🐍 Python 모두 보기 Python 자세히 →

HTTP Header Injection HIGH

Strip CRLF characters from user input before using in HTTP headers

+12 -7 python

- from flask import request, make_response
- 
- @app.route('/download')
- def download():
-     filename = request.args.get('filename')
-     response = make_response("content")
-     response.headers['Content-Disposition'] = f'attachment; filename="{filename}"'
+ import re
+ from flask import request, make_response
+ 
+ def sanitize_header(value):
+     return re.sub(r'[\r\n]', '', str(value))
+ 
+ @app.route('/download')
+ def download():
+     filename = request.args.get('filename', '')
+     safe_filename = sanitize_header(filename)
+     response = make_response("content")
+     response.headers['Content-Disposition'] = f'attachment; filename="{safe_filename}"'
      return response

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=113

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

HTTP Header Injection MEDIUM

Detects user input flowing to HTTP headers without CRLF sanitization.

🟨 Javascript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🔷 Typescript 1 rules

HTTP Header Injection (Response Splitting) HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

🐍 Python 1 rules

HTTP Header Injection HIGH

Detects user input flowing into HTTP response headers without CRLF sanitization.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

user input flowing into HTTP response headers without CRLF sanitization javascript-header-injection

🟡

user input flowing to HTTP headers without CRLF sanitization go-header-injection

🔍

코드베이스를 스캔하세요: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기