CWE-113

Nombre

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Estado

Incomplete

Publicado

2006-07-19
00h00 +00:00

Modificado

2025-12-11
00h00 +00:00

Enlaces oficiales

CWE Mitre.org

Notificaciones para un CWE

Manténgase informado sobre cualquier cambio en un CWE específico.

Gestionar notificaciones

Alertas personalizadas

¡Active sus alertas personalizadas!

Para activar sus alertas, solo necesita iniciar sesión en su cuenta gratuita. Si aún no ha iniciado sesión, elija una de las opciones a continuación.

Iniciar sesión en su cuenta Crear una cuenta gratuita

Notificaciones para un CWE

Manténgase informado sobre cualquier cambio en un CWE específico.

Parámetros

Puede especificar un título que se recuperará en las alertas que se enviarán.

Especifique el ID de CWE que desea monitorear.

Planificación

Mes

Cálculo de la próxima ejecución

Día

Día de la semana

Hora

Minuto

Fecha de creación

Última ejecución

Próxima ejecución

Nombre: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Informaciones generales

Modos de introducción

Implementation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Tecnologías

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Consecuencias comunes

Alcance	Impacto	Probabilidad
Integrity Access Control	Modify Application Data, Gain Privileges or Assume Identity Note: CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the message that the application intends to send/receive, as well as allowing them to create additional messages entirely under their control.

Ejemplos observados

Referencias	Descripción
CVE-2020-15811	Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (CWE-697), allowing request splitting (CWE-113) and cache poisoning
CVE-2021-41084	Scala-based HTTP interface allows request splitting and response splitting through header names, header values, status reasons, and URIs
CVE-2018-12116	Javascript-based framework allows request splitting through a path option of an HTTP request
CVE-2004-2146	Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1656	Shopping cart allows HTTP response splitting to perform HTML injection via CRLF in a parameter for a url
CVE-2005-2060	Bulletin board allows response splitting via CRLF in parameter.
CVE-2004-2512	Response splitting via CRLF in PHPSESSID.
CVE-2005-1951	e-commerce app allows HTTP response splitting using CRLF in object id parameters

Mitigaciones potenciales

Phases : Implementation
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Phases : Implementation
Phases : Implementation
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Phases : Implementation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Métodos de detección

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID	Nombre del patrón de ataque
CAPEC-105	HTTP Request Splitting
CAPEC-31	Accessing/Intercepting/Modifying HTTP Cookies This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-34	HTTP Response Splitting
CAPEC-85	AJAX Footprinting This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.

Referencias

REF-43

OWASP TOP 10
OWASP.
https://github.com/owasp-top/owasp-top-2007

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-1272

HTTP Request Splitting
Robert Auger.
http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting

Envío

Nombre	Organización	Fecha	Fecha de lanzamiento	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modificaciones

Nombre	Organización	Fecha	Comentario
Eric Dalci	Cigital	2008-07-01 +00:00	updated References, Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description
CWE Content Team	MITRE	2008-11-24 +00:00	updated Description, Other_Notes
CWE Content Team	MITRE	2009-03-10 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2009-05-27 +00:00	updated Name
CWE Content Team	MITRE	2009-07-27 +00:00	updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team	MITRE	2009-10-29 +00:00	updated Common_Consequences, Description, Other_Notes, Theoretical_Notes
CWE Content Team	MITRE	2010-02-16 +00:00	updated Taxonomy_Mappings
CWE Content Team	MITRE	2010-06-21 +00:00	updated Description, Name
CWE Content Team	MITRE	2011-03-29 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Description
CWE Content Team	MITRE	2012-05-11 +00:00	updated Common_Consequences, References, Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-06-23 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2015-12-07 +00:00	updated Relationships
CWE Content Team	MITRE	2017-05-03 +00:00	updated Related_Attack_Patterns
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Demonstrative_Examples
CWE Content Team	MITRE	2019-06-20 +00:00	updated Relationships
CWE Content Team	MITRE	2020-02-24 +00:00	updated Applicable_Platforms, Potential_Mitigations, Relationships, Type
CWE Content Team	MITRE	2020-06-25 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2021-10-28 +00:00	updated Relationships
CWE Content Team	MITRE	2022-06-28 +00:00	Extended the abstraction of this entry to include both HTTP request and response splitting.
CWE Content Team	MITRE	2022-06-28 +00:00	updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Theoretical_Notes
CWE Content Team	MITRE	2022-10-13 +00:00	updated Demonstrative_Examples, Related_Attack_Patterns
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Detection_Factors, References, Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes
CWE Content Team	MITRE	2024-11-19 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2025-12-11 +00:00	updated Applicable_Platforms, Relationships, Weakness_Ordinalities

Detalle CWE-113