Summary #

Invicti identified a CRLF (new line) HTTP header injection.

This means the input goes into HTTP headers without proper input filtering.

Impact #
Depending on the application, an attacker might carry out the following types of attacks:
  • Cross-site scripting attack, which can lead to session hijacking
  • Session fixation attack by setting a new cookie, which can also lead to session hijacking
Actions To Take #
  1. See the remedy for solution.
  2. Ensure the server security patches are up to date and that the current stable version of the software is in use.
Remediation #
Do not allow newline characters in input. Where possible, use strict whitelisting.
Required Skills for Successful Exploitation #
Crafting the attack to exploit this issue is not a complex process. However, most unsophisticated attackers will not know that such an attack is possible. Also, an attacker needs to reach his victim by e-mail or other similar method in order to entice them to visit the site or click on a URL.
Classifications #
PCI v3.2-6.5.1; CAPEC-105; CWE-93; HIPAA-164.306(a), 164.308(a); ISO27001-A.14.2.5; WASC-24; OWASP 2013-A1; OWASP 2017-A1 , CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo