HTTP Splitting
ID |
java.http_splitting |
Severity |
critical |
Resource |
Injection |
Language |
Java |
Tags |
CWE:113, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1 |
Description
Improper Neutralization of CR/LF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
HTTP response splitting occurs when user input is unsafely incorporated into HTTP response headers. Attackers exploit these vulnerabilities by injecting CR/LF (Carriage Return plus Line Feed) characters, effectively splitting the HTTP response into two separate responses.
This vulnerability is often referred to as HTTP Header Manipulation.
Rationale
Here is a simplified example of the vulnerability:
import javax.servlet.http.*;
public class VulnerableServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String userInput = request.getParameter("user");
// Potentially vulnerable if user input is not sanitized
response.setHeader("Location", "http://example.com/welcome.jsp?user=" + userInput);
}
}In the example above, if the user parameter is not properly sanitized, an attacker can inject an input like "John%0D%0ASet-Cookie:%20SESSIONID=malicious" allowing them to split the HTTP response and perform malicious actions.
HTTP response splitting can lead to serious security concerns such as:
-
Cross-Site Scripting (XSS): Leveraging the split response to inject script content into another user’s browser.
-
Web Cache Poisoning: Exploiting vulnerable proxy servers or caching mechanisms to cache a poisoned response.
-
Session Fixation: Forcing a user into a session where the session ID is specified by the attacker.
Mitigating this requires diligent input validation and proper handling of HTTP headers to ensure that malicious headers cannot be injected.
Remediation
Java provides java.net.URLEncoder to safely encode input, when it is used to construct URLs added to HTTP headers. This can be used as follows:
import java.net.URLEncoder;
import javax.servlet.http.*;
public class SafeServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String userInput = request.getParameter("user");
// Properly encode potentially unsafe user input
String safeUserInput = URLEncoder.encode(userInput, "UTF-8");
response.setHeader("Location", "http://example.com/welcome.jsp?user=" + safeUserInput);
}
}If it is not possible to use untrusted input in HTTP headers, consider the following strategies to avoid HTTP response splitting:
-
Input Validation: Ensure all user inputs are validated and sanitized before inclusion in HTTP response headers. Either filter out or encode CR/LF characters, or better use a strict whitelist validation to enforce the expected data format for the header.
-
Output Encoding: Properly encode or replace any special characters in user input embedded within HTTP headers.
-
Library and Framework Use: Utilize security libraries for validation. Some frameworks include built-in protection against CR/LF injection in HTTP headers.
-
Security Testing: Implement automatic security testing mechanisms such as Static Application Security Testing (SAST) tools to detect HTTP response splitting vulnerabilities during the development phase.
By validating input, encoding output, and leveraging security libraries, the risk of HTTP response splitting can be significantly reduced in Java applications.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
-
OWASP Top 10 2021 - A03 : Injection.