Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
User input from a path parameter is being directly added as an HTTP response header without proper validation. This allows attackers to inject special characters, potentially creating new headers or altering the response.
Impact#
If exploited, attackers can perform HTTP response splitting, leading to security issues like cache poisoning, cross-site scripting, or session hijacking. This can compromise user data, allow phishing, or disrupt normal application behavior.