1. Vulnerability Description

• If a parameter in HTTP Request is passed back to the response header of HTTP Response, the HTTP response header is detached when line feed character CR (%0D) or LF (%0A) within the parameter is present.
• An attacker can manipulate the response header value using line feed character (%0D %0A) if the parameter does not validate the user’s input value.
• HTTP Response Splitting attacks can be exploited to compromise XSS attacks and cache by injecting malicious code into response messages.

[Fig 1. CRLF Vulnerability]

2. How to check vulnerability

• Insert line feed character (%0D %0A) into the parameter to verify that the HTTP response is detached.

[Fig 2. Example of vulnerability]

3. Vulnerability Countermeasure

• Do not insert user-entered values in HTTP headers returned from the application.
• If you have to insert user-entered values into the HTTP header, validate the values entered in the HTTP response header. If an external input value is inserted in the response header, such as setting the Cookie value, setting the response header value, or inserting location information to redirect the page, the character CR (%0D) or LF (%0A) that can cause HTTP response segmentation must be filtered.

4. Example Code

• The example below sets the value of the cookie returned using an external input value. However, if an attacker sets “Hacker\r\nHTTP/1.1 200 OK\r\n” to the value of the authorName, Two unintended pages are delivered, as shown in the following example. In addition, the second response page can be modified at the discretion of the attacker.
  • (ex: HTTP/1.1 200 OK…Set-Cookie: author=Hacker HTTP/1.1 200 OK …)
• Vulnerable code

  throws IOException, ServletException
  {
    response.setContentType("text/html");
    String author = request.getParameter("authorName");Cookie cookie = new Cookie("replidedAuthor", author);
    cookie.setMaxAge(1000);
    response.addCookie(cookie);
    RequestDispatcher frd = request.getRequestDispatcher("cookieTest.jsp");
    frd.forward(request, response);
  }
  

• The example below checks NULL for externally entered values and uses placeAll to remove line feed characters \r, \n to prevent the header values from being divided.

• Safe code

  throws IOException, ServletException
  {
    response.setContentType("text/html");
    String author = request.getParameter("authorName");
    if (author == null || "".equals(author)) return;
    String filtered_author = author.replaceAll("\r", "").replaceAll("\n", "");
    Cookie cookie = new Cookie("replidedAuthor", filtered_author);
    cookie.setMaxAge(1000);
    cookie.setSecure(true);
    response.addCookie(cookie);
    RequestDispatcher frd = request.getRequestDispatcher("cookieTest.jsp");
    frd.forward(request, response);
  }