Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

ID

scala.cookie.scala_cookie_rule_httpresponsesplitting

Severity

low

Resource

Cookie

Language

Scala

Description

When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks.

Rationale

When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks.

The following code illustrates a vulnerable pattern detected by this rule:

class HttpResponseSplitting extends HttpServlet {

  @throws[ServletException]
  @throws[IOException]
  override protected def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
    val input = req.getParameter("input")
    val c = new Cookie("name", null)
    // VULNERABLE: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
    c.setValue(input)
    c.setHttpOnly(true)
    c.setSecure(true)
    resp.addCookie(c)
  }

  @throws[ServletException]
  @throws[IOException]
  override protected def doPost(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
    val input = req.getParameter("input")
    // VULNERABLE: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
    val c = new Cookie("name", input)
    c.setHttpOnly(true)
    c.setSecure(true)
    resp.addCookie(c)
  }

  @throws[ServletException]
  @throws[IOException]
  override protected def doDelete(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
    val data = req.getParameter("input")
    val input = data.replaceAll("\n", "")
    // VULNERABLE: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
    val c = new Cookie("name", input)

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References