HTTP response header injection

OWASP 2013-A1 OWASP 2017-A1 OWASP 2021-A3 PCI v3.2-6.5.1 CAPEC-105 CWE-93 HIPAA-164.306(a) ISO27001-A.14.2.5 WASC-24 WSTG-INFO-08

An HTTP response header injection attack is an attack that might arise due to improper and unsafe transmission of user-supplied data to the response header. If the attacker successfully inserts characters into the header, he will also be able to change the header completely. The attacker can insert a new line into the header to break the header into messages. So that, he can add new custom codes into the application. This vulnerability can be exploited using cross-site scripting attack. The attacker uses cross-site scripting attack to inject malicious javascript code into the response header. A corrupt response header can poison the cache memory and can also affect the proxy used by the end users.

Example

The following is the example of header injection.

        http://example.beaglesecurity.com/
        redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a

    

Using this vulnerability, the attacker can change the cookie properties and many more.

Impact

Using this vulnerability, an attacker can:-

  • leak sensitive information about the server.
  • gain full access to the system.
  • read, update and delete sensitive data/tables from the database.
  • execute commands on the underlying operating system.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Applications should avoid copying user-controllable data into HTTP response headers.
  • The data should be strictly validated to prevent response header injection attacks.
  • Allow only short alphanumeric strings to be copied into headers.







Related Articles