Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

javascript.http_splitting

Severity

critical

Resource

Injection

Language

JavaScript

Description

Improper Neutralization of CR/LF Sequences in HTTP Headers ('HTTP Request/Response Splitting').

HTTP response splitting occurs when user input is unsafely incorporated into HTTP response headers. Attackers exploit these vulnerabilities by injecting CR/LF (Carriage Return plus Line Feed) characters, effectively splitting the HTTP response into two separate responses.

This vulnerability is often referred to as HTTP Header Manipulation.

Rationale

Here is an example of the vulnerability:

const express = require('express');
const app = express();

app.get('/redirect', (req, res) => {
  const url = req.query.url;
  res.setHeader('Location', url); // FLAW
  res.send('Redirecting...');
});

HTTP response splitting can lead to serious security concerns such as:

Cross-Site Scripting (XSS): Leveraging the split response to inject script content into another user’s browser.
Web Cache Poisoning: Exploiting vulnerable proxy servers or caching mechanisms to cache a poisoned response.
Session Fixation: Forcing a user into a session where the session ID is specified by the attacker.

Mitigating this requires diligent input validation and proper handling of HTTP headers to ensure that malicious headers cannot be injected.

Remediation

The previous example is fixed as follows:

const express = require('express');
const app = express();

app.get('/redirect', (req, res) => {
  let url = req.query.url;

  // FIXED: Validate the url so no whitespace is allowed
  if (!url || !/^https?:\/\/[^\s/$.?#][^\s]*$/.test(url)) {
    res.status(400).send('Invalid URL');
    return;
  }

  // Also encode the URL to avoid CR/LR injection
  res.setHeader('Location', encodeURI(url));
  res.send('Redirecting...');
});

The untrusted input is validated against a pattern, and the URL is encoded to avoid CR/LR injection.

If it is not possible to use untrusted input in HTTP headers, consider the following strategies to avoid HTTP response splitting:

Input Validation: Ensure all user inputs are validated and sanitized before inclusion in HTTP response headers. Either filter out or encode CR/LF characters, or better use a strict whitelist validation to enforce the expected data format for the header.
Output Encoding: Properly encode or replace any special characters in user input embedded within HTTP headers.
Library and Framework Use: Utilize security libraries for validation. Some frameworks include built-in protection against CR/LF injection in HTTP headers.
Security Testing: Implement automatic security testing mechanisms such as Static Application Security Testing (SAST) tools to detect HTTP response splitting vulnerabilities during the development phase.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
OWASP Top 10 2021 - A03 : Injection.
HTTP Response Splitting attack.