C-sharp : HTTP header manipulation
Classification
Overview
The application allows to include newline characters into the HTTP response header. If data from an untrusted source is included into the HTTP response header, multiple attacks are possible, including cache poisoning, XSS, cookie manipulation, page hijacking, open redirect attacks and others.
One of the most common attacks with the use of this vulnerability is HTTP response splitting. In this case, the attacker includes special CR (carriage return, also denoted as %0d and \r) and LF (new line, also %0a and \n) characters into the response header. This allows the attacker to not only manage the content of a response after these characters, but also create his/her own responses.
By default .NET disallows the inclusion of newline characters into the HTTP response header. This behavior can be overriden be setting the EnableHeaderChecking property on the HttpRuntimeSection object to false.
References
- OWASP Top 10 2017-A1-Injection
- OWASP Top 10 2013-A1-Injection
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
- OWASP: HTTP Response Splitting
- HttpRuntimeSection.EnableHeaderChecking Property - msdn.microsoft.com
- CWE-20
- CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
- CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
- CWE-1036