# Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE-113)

The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.

- Prevalence: 보통 3개 언어 지원
- Impact: 높음 2개의 높은 심각도 규칙
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.

## Prevention

3개의 Shoulder 탐지 규칙을 기반으로 한 HTTP Response Splitting 예방 전략.

### Go

Strip CRLF characters from user input before setting HTTP headers

### Python

Strip CRLF characters from user input before using in HTTP headers

## Warning Signs

- [HIGH] user input flowing into HTTP response headers without CRLF sanitization
- [MEDIUM] user input flowing to HTTP headers without CRLF sanitization

## Consequences

- 승인되지 않은 코드 실행
- 보호 메커니즘 우회
- 애플리케이션 데이터 수정

## Mitigations

- HTTP 응답 헤더에 사용자 입력을 직접 포함하지 마세요
- 헤더에 포함될 수 있는 모든 사용자 입력을 정제하세요
- 인코딩을 처리하는 프레임워크 제공 헤더 설정 메서드를 사용하세요

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Go (1 rules)

- **HTTP Header Injection** [MEDIUM]: Detects user input flowing to HTTP headers without CRLF sanitization.
  - Remediation: Remove CRLF characters from user input before setting headers.

```go
value := strings.ReplaceAll(userInput, "\r", "")
value = strings.ReplaceAll(value, "\n", "")
w.Header().Set("X-Custom", value)
```

Learn more: https://shoulder.dev/learn/go/cwe-113/header-injection

### Javascript (1 rules)

- **HTTP Header Injection (Response Splitting)** [HIGH]: Detects user input flowing into HTTP response headers without CRLF sanitization.
  - Remediation: Remove CRLF characters from user input before setting headers.

```javascript
const sanitized = userInput.replace(/[\r\n]/g, '');
res.setHeader('X-Custom-Header', sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-113/header-injection

### Typescript (1 rules)

- **HTTP Header Injection (Response Splitting)** [HIGH]: Detects user input flowing into HTTP response headers without CRLF sanitization.
  - Remediation: Remove CRLF characters from user input before setting headers.

```javascript
const sanitized = userInput.replace(/[\r\n]/g, '');
res.setHeader('X-Custom-Header', sanitized);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-113/header-injection

### Python (1 rules)

- **HTTP Header Injection** [HIGH]: Detects user input flowing into HTTP response headers without CRLF
sanitization.
  - Remediation: Remove CRLF characters from header values.

```python
import re
safe_value = re.sub(r'[\r\n]', '', user_value)
```

Learn more: https://shoulder.dev/learn/python/cwe-113/header-injection