Skip to content

HTTP Header Checking Disabled

What does this mean ?

When user-supplied data is copied into a response header in an unsafe manner, HTTP response header injection vulnerabilities occur. If an attacker can inject newline characters into the header, they can inject new HTTP headers as well as break out of the headers into the message body and send arbitrary text into the application's response by injecting an empty line.

What can happen ?

An attacker may carry out the following sorts of attacks, depending on the application:

  • A cross-site scripting attack that can result in session hijacking.
  • Attack on session fixation by creating a new cookie, which can also result in session hijacking.

Recommendation

Applications should avoid transferring user-controllable data into HTTP response headers if at all feasible. If this is inevitable, the data should be rigorously vetted to avoid response header injection attacks. In most cases, only short alphanumeric sequences should be allowed to be copied into headers, and any additional input should be denied. At the very least, any characters with ASCII codes less than 0x20 should be disallowed.

Sample Code

Vulnerable :

string value = Request.QueryString["value"];
Response.AddHeader("X-Header", value); // Noncompliant

Non Vulnerable :

string value = Request.QueryString["value"];
// Allow only alphanumeric characters
if (value == null || !Regex.IsMatch(value, "^[a-zA-Z0-9]+$"))
{
  throw new Exception("Invalid value");
}
Response.AddHeader("X-Header", value);

Vulnerable :

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String value = req.getParameter("value");
  resp.addHeader("X-Header", value); // Noncompliant
}

Non Vulnerable :

protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String value = req.getParameter("value");

    String whitelist = "safevalue1 safevalue2";
    if (!whitelist.contains(value))
      throw new IOException();

    resp.addHeader("X-Header", value); // Compliant
}

Vulnerable :

$value = $_GET["value"];
header("X-Header: $value"); // Noncompliant

Non Vulnerable :

$value = $_GET["value"];
if (ctype_alnum($value)) {
  header("X-Header: $value"); // Compliant
} else {
  // Error
}

References