HTTP Header Injection
Description
This vulnerability occurs when an application accepts user input and includes it in HTTP response headers without properly validating or sanitizing Carriage Return (CR) and Line Feed (LF) characters. Since HTTP headers use CRLF sequences (\r\n) as line delimiters, an attacker can inject these characters to manipulate the header structure, insert arbitrary headers, or split the HTTP response into multiple responses. This technique, known as HTTP Response Splitting, can be leveraged to perform cache poisoning, cross-site scripting (XSS), session fixation, and other attacks that compromise application security and user data.
Remediation
Implement the following measures to prevent CRLF injection attacks:
1. Input Validation: Reject any user input containing CR (\r, 0x0D) or LF (\n, 0x0A) characters before using it in HTTP headers.
2. Output Encoding: If CRLF characters must be allowed in input, encode or strip them before including the data in response headers. Example in Java:
String sanitizedValue = userInput.replaceAll("[\\r\\n]", "");
response.setHeader("X-Custom-Header", sanitizedValue);Example in Python:
import re sanitized_value = re.sub(r'[\r\n]', '', user_input) response.headers['X-Custom-Header'] = sanitized_value
3. Use Framework Functions: Utilize built-in header-setting functions provided by your web framework, as they often include automatic protection against header injection.
4. Avoid Direct Header Construction: Never manually construct HTTP headers by concatenating user input with CRLF sequences. Always use secure APIs designed for header manipulation.