HTTP Header Injection (IAST)

Summary#

Invicti identified a CRLF (new line) HTTP header injection.

This means the input goes into HTTP headers without proper input filtering.

Impact#

Depending on the application, an attacker might carry out the following types of attacks:

Cross-site scripting attack, which can lead to session hijacking
Session fixation attack by setting a new cookie, which can also lead to session hijacking

Actions To Take#

See the remedy for solution.
Ensure the server security patches are up to date and that the current stable version of the software is in use.

Remediation#

Do not allow newline characters in input. Where possible, use strict whitelisting.

Required Skills for Successful Exploitation#

Crafting the attack to exploit this issue is not a complex process. However, most unsophisticated attackers will not know that such an attack is possible. Also, an attacker needs to reach his victim by e-mail or other similar method in order to entice them to visit the site or click on a URL.

External References#

Classifications#

HIPAA-164.306(a), 164.308(a), PCI v3.2-6.5.1, OWASP 2013-A1, OWASP 2017-A1, CAPEC-105, CWE-93, WASC-24, CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, ISO27001-A.14.2.5