Corgea LogoCorgea Security Hub

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Learn about CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')?

• Overview: The vulnerability occurs when an application improperly handles CRLF sequences in HTTP headers, allowing attackers to inject additional HTTP headers or responses. This can lead to multiple security issues like splitting a single HTTP response into two separate ones.

• Exploitation Methods:

  • Attackers exploit this by inserting CR (%0d) and LF (%0a) characters into HTTP headers, which allows them to manipulate HTTP responses.
  • Common attack patterns include injecting malicious headers to perform cross-site scripting (XSS), cache poisoning, or server-side request forgery (SSRF).

• Security Impact:

  • Direct consequences include the ability to inject malicious content into HTTP responses, leading to XSS or data leaks.
  • Potential cascading effects involve altered web application behavior, unauthorized data access, or compromised user sessions.
  • Business impact could include damage to brand reputation, loss of customer trust, and potential legal liabilities due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes include validating and sanitizing input to remove or escape CRLF characters before including them in HTTP headers.
  • Security best practices involve using libraries or frameworks that automatically handle character escaping and ensuring proper input validation throughout the application.
  • Recommended tools and frameworks include web application firewalls (WAFs) and security libraries that provide robust input validation and output encoding mechanisms.
Corgea can automatically detect and fix Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Web Based

Vulnerable Code Example

Python Example

from http.server import BaseHTTPRequestHandler, HTTPServer

class VulnerableHTTPRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        user_input = self.headers.get('X-User-Input')  # User-controlled input
        
        # Vulnerable code: Directly using user input in HTTP headers without sanitization
        self.send_response(200)
        self.send_header('X-Custom-Header', user_input)  # Potential for CRLF injection
        self.end_headers()
        self.wfile.write(b'Hello, World!')

Explanation:

  • Vulnerability: The X-User-Input header value, which is controlled by the user, is directly used in another header (X-Custom-Header) without any sanitization. If an attacker provides a value containing CRLF sequences (\r\n), it can lead to HTTP response splitting, allowing the attacker to inject additional headers or manipulate the HTTP response.

How to fix Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')?

To address this vulnerability, ensure that any user input included in HTTP headers is properly validated and sanitized:

  1. Validation: Ensure the input contains only expected and valid characters.
  2. Sanitization: Remove or encode CRLF sequences to prevent them from being interpreted as header delimiters.

By implementing these steps, you can prevent attackers from injecting malicious content into HTTP headers.

Fixed Code Example

Python Example

from http.server import BaseHTTPRequestHandler, HTTPServer
import re

class SafeHTTPRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        user_input = self.headers.get('X-User-Input')
        
        # Fixed code: Sanitize the user input to remove CRLF sequences
        if user_input:
            sanitized_input = re.sub(r'[\r\n]', '', user_input)  # Remove CRLF characters
        else:
            sanitized_input = 'default-value'  # Fallback to a safe default if input is None
        
        self.send_response(200)
        self.send_header('X-Custom-Header', sanitized_input)  # Safe usage of user input
        self.end_headers()
        self.wfile.write(b'Hello, World!')

Explanation:

  • Sanitization: We use a regular expression to remove any carriage return (\r) or line feed (\n) characters from user_input. This ensures that the input cannot break or inject additional headers.
  • Default Handling: If user_input is None, a default safe value is used, preventing further issues.
  • Result: The application is now protected against HTTP response splitting attacks, as it safely processes user input before including it in HTTP headers. This implementation follows best practices for handling user input in HTTP headers.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') and get remediation guidance

Start for free and no credit card needed.