Skip to content

HTTP Header Checking Disabled

What does this mean ?

HTTP response header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

What can happen ?

Depending on the application, an attacker might carry out the following types of attacks: - Cross-site scripting attack, which can lead to session hijacking. - Session fixation attack by setting a new cookie, which can also lead to session hijacking

Recommendation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent response header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Sample Code

Vulnerable :

string value = Request.QueryString["value"];
Response.AddHeader("X-Header", value); // Noncompliant

Non Vulnerable :

string value = Request.QueryString["value"];
// Allow only alphanumeric characters
if (value == null || !Regex.IsMatch(value, "^[a-zA-Z0-9]+$"))
{
  throw new Exception("Invalid value");
}
Response.AddHeader("X-Header", value);

Vulnerable :

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String value = req.getParameter("value");
  resp.addHeader("X-Header", value); // Noncompliant
}

Non Vulnerable :

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String value = req.getParameter("value");

    String whitelist = "safevalue1 safevalue2";
    if (!whitelist.contains(value))
      throw new IOException();

    resp.addHeader("X-Header", value); // Compliant
}

Vulnerable :

$value = $_GET["value"];
header("X-Header: $value"); // Noncompliant

Non Vulnerable :

$value = $_GET["value"];
if (ctype_alnum($value)) {
  header("X-Header: $value"); // Compliant
} else {
  // Error
}

References