Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

php.http_splitting

Severity

critical

Resource

Injection

Language

Php

Description

Improper Neutralization of CR/LF Sequences in HTTP Headers ('HTTP Request/Response Splitting').

HTTP response splitting occurs when user input is unsafely incorporated into HTTP response headers. Attackers exploit these vulnerabilities by injecting CR/LF (Carriage Return plus Line Feed) characters, effectively splitting the HTTP response into two separate responses.

This vulnerability is often referred to as HTTP Header Manipulation.

Rationale

HTTP response splitting can lead to serious security concerns such as:

Cross-Site Scripting (XSS): Leveraging the split response to inject script content into another user’s browser.
Web Cache Poisoning: Exploiting vulnerable proxy servers or caching mechanisms to cache a poisoned response.
Session Fixation: Forcing a user into a session where the session ID is specified by the attacker.

Mitigating this requires diligent input validation and proper handling of HTTP headers to ensure that malicious headers cannot be injected.

Consider the following example in PHP where user input is improperly included in a header:

<?php
// User input from query parameter
$redirectUrl = $_GET['redirect'];
header("Location: $redirectUrl");
?>

If an attacker provides a crafted URL like http://example.com/page.php?redirect=%0D%0ASet-Cookie:%20sessionid=malicious, it could lead to the injection of a Set-Cookie header in the HTTP response, enabling the attacker to perform session or cache-related attacks.

Remediation

If it is not possible to use untrusted input in HTTP headers, consider the following strategies to avoid HTTP response splitting:

Input Validation: Ensure all user inputs are validated and sanitized before inclusion in HTTP response headers. Either filter out or encode CR/LF characters, or better use a strict whitelist validation to enforce the expected data format for the header.
Output Encoding: Properly encode or replace any special characters in user input embedded within HTTP headers.
Library and Framework Use: Utilize security libraries for validation. Some frameworks include built-in protection against CR/LF injection in HTTP headers.
Security Testing: Implement automatic security testing mechanisms such as Static Application Security Testing (SAST) tools to detect HTTP response splitting vulnerabilities during the development phase.

The sanitized version of the previous code snippet looks like this:

<?php
$redirectUrl = $_GET['redirect'];

// Sanitize by removing CRLF characters
$redirectUrl = str_replace(array("\r", "\n"), '', $redirectUrl);

header("Location: $redirectUrl");
?>

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
OWASP Top 10 2021 - A03 : Injection.
HTTP Response Splitting attack.