Skip to main content
Version: 2.8

HTTP Header Injection Security Feature

Overview

HTTP response header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers. If an attacker can inject an empty line into the header, then they can break out of the headers into the message body and write arbitrary content into the application's response.

HTTP header injection vulnerabilities are covered by CWE-113.

HTTP response header injection occurs when any of the targets below contains one or more user-controlled new line characters:

  • response header names and values

  • response cookie names and values

  • response cookie domain and paths

The new line characters that are currently supported are CR (Carriage Return) and LF (Line Feed):

  • CR is represented as "\r" in Java and has ASCII value 13 or 0x0D

  • LF is represented as "\n" in Java and has ASCII value 10 or 0x0A

The HTTP Response Header Injection security feature is enabled using the ARMR http rule. When this security feature is enabled the agent monitors HTTP responses and ensures that the HTTP response headers and cookies do not contain user-controlled newline characters that can cause such attacks as HTTP response splitting.

Given (Condition)

To enable the HTTP Header Injection security feature using the ARMR http rule the user specifies the response declaration.

responseThis determines the HTTP endpoints for which protection is enabled. An optional key value pair can be supplied to this declaration where the key is paths and the value can be one of the following (indicating specifically targeted HTTP endpoints) :-- a quoted string

  • a list of one or more quoted-stringsIf no value is specified then protection will be applied to all HTTP endpoints by default.If a string value is specified then it must:- not be empty

  • be a valid relative URIOnly one ARMR http rule for HTTP Header Injection protection is allowed to be defined for a given HTTP endpoint. |

When (Event)

The header injection rule supports one event - injection

injectionThis is a mandatory declaration that allows the user to specify the target type for which the ARMR http rule should enable HTTP response header injection protection. The following target types are supported:- headers - protect against injection into HTTP response headers
  • cookies - protect against injection into HTTP response cookies |

Then (Action)

protectIf an HTTP response header or cookie contains user-controlled newline characters then the offending header or cookie will be removed from the HTTP response.If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal. HTTP response headers or cookies contain user-controlled newline characters are allowed by the agent.If configured, a log message is generated with details of the event.A log message must be specified with this action.

Examples

The following ARMR http rule switches on the HTTP Header Injection security feature for headers for all HTTP endpoints.

app("HTTP Response Header Injection mod"):
  requires(version: ARMR/2.8)
  http("HTTP header injection protection for all HTTP endpoints - headers"):
    response()
    injection(headers)
    protect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod protects against HTTP response header injection in headers for a single HTTP endpoint.

app("HTTP Response Header Injection mod 2"):
  requires(version: ARMR/2.8)
  http("HTTP header injection protection for specific HTTP endpoint - headers"):
    response(paths: "/webapp/index.jsp")
    injection(headers)
    protect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod detects HTTP response header injection in headers for a multiple HTTP endpoints.

app("HTTP Response Header Injection mod 3"):
  requires(version: ARMR/2.8)
  http("HTTP header injection detection for multiptle HTTP endpoints - headers"):
    response(paths: ["/webapp/testPageA.jsp", "/webapp/testPageB.jsp"])
    injection(headers)
    detect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod protects against HTTP response header injection in cookies for all HTTP endpoints.

app("HTTP Response Header Injection mod 4"):
  requires(version: ARMR/2.8)
  http("HTTP header injection protection for all HTTP endpoints - cookies"):
    response()
    injection(cookies)
    protect(message: "CRLF injection found in HTTP response cookies", severity: 7)
  endhttp
endapp