Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input is being added directly to HTTP cookies without proper validation or encoding. This allows attackers to inject special characters that could manipulate HTTP responses.
Impact#
If exploited, an attacker could split or modify HTTP responses, potentially injecting malicious headers or content. This can lead to session hijacking, web cache poisoning, or cross-site scripting attacks, affecting user trust and application security.