HTTP response header injection

An HTTP response header injection attack is an attack that might arise due to improper and unsafe transmission of user-supplied data to the response header. If the attacker successfully inserts characters into the header, he will also be able to change the header completely. The attacker can insert a new line into the header to break the header into messages. So that, he can add new custom codes into the application. This vulnerability can be exploited using cross-site scripting attack. The attacker uses cross-site scripting attack to inject malicious javascript code into the response header. A corrupt response header can poison the cache memory and can also affect the proxy used by the end users.

Example

The following is the example of header injection.

        http://example.beaglesecurity.com/
        redirect.asp?origin=foo%0d%0aSet-Cookie:%20ASPSESSIONIDACCBBTCD=SessionFixed%0d%0a

    

Using this vulnerability, the attacker can change the cookie properties and many more.

Impact

Using this vulnerability, an attacker can:-

• leak sensitive information about the server.
• gain full access to the system.
• read, update and delete sensitive data/tables from the database.
• execute commands on the underlying operating system.

Mitigation / Precaution

Beagle recommends the following fixes:-

• Applications should avoid copying user-controllable data into HTTP response headers.
• The data should be strictly validated to prevent response header injection attacks.
• Allow only short alphanumeric strings to be copied into headers.