Java : HTTP header manipulation
Classification
Overview
The application includes data from an untrusted source into the HTTP response header. Cache poisoning attacks, XSS, cookie manipulation, page hijacking, open redirect attacks and others are possible.
One of the most common attacks with the use of this vulnerability is HTTP response splitting . In this case, the attacker includes special CR (carriage return, also denoted as %0d and \r) and LF (new line, also %0a and \n) characters into the response header. This allows the attacker to not only manage the content of a response after these characters, but also create his/her own answers.
Most modern servers include protection against such attacks. For example, Apache Tomcat will generate exception of the IllegalArgumentException type when attempting to inject banned symbols into the header.
References
- OWASP Top 10 2017-A1-Injection
- OWASP Top 10 2013-A1-Injection
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
- OWASP: HTTP Response Splitting
- CWE-20
- CWE CATEGORY: OWASP Top Ten 2017 Category A1 - Injection
- CWE CATEGORY: OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
- CWE-1036