Skip to main content
Version: 2.11

HTTP Header Injection Security Feature

Overview

HTTP response header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers. If an attacker can inject an empty line into the header, then they can break out of the headers into the message body and write arbitrary content into the application's response.

info

HTTP header injection vulnerabilities are covered by CWE-113.

HTTP response header injection occurs when any of the targets below contains one or more user-controlled new line characters:

  • response header names and values

  • response cookie names and values

  • response cookie domain and paths

info

The new line characters that are currently supported are CR (Carriage Return) and LF (Line Feed):

  • CR is represented as "\r" in Java and has ASCII value 13 or 0x0D

  • LF is represented as "\n" in Java and has ASCII value 10 or 0x0A

The HTTP Response Header Injection security feature is enabled using the ARMR http rule. When this security feature is enabled the agent monitors HTTP responses and ensures that the HTTP response headers and cookies do not contain user-controlled newline characters that can cause such attacks as HTTP response splitting.

Given (Condition)

To enable the HTTP Header Injection security feature using the ARMR http rule the user specifies the response declaration.

response

This determines the HTTP endpoints for which protection is enabled. An optional key value pair can be supplied to this declaration where the key is paths and the value can be one of the following (indicating specifically targeted HTTP endpoints):

  • a quoted string
  • a list of one or more quoted-strings

If no value is specified then protection will be applied to all HTTP endpoints by default.

If a string value is specified then it must:

  • not be empty
  • be a valid relative URI
info

Only one ARMR http rule for HTTP Header Injection protection is allowed to be defined for a given HTTP endpoint.

When (Event)

The header injection rule supports one event - injection

injection

This is a mandatory declaration that allows the user to specify the target type for which the ARMR http rule should enable HTTP response header injection protection. The following target types are supported:

  • headers - protect against injection into HTTP response headers
  • cookies - protect against injection into HTTP response cookies

Then (Action)

protectIf an HTTP response header or cookie contains user-controlled newline characters then the offending header or cookie will be removed from the HTTP response.

If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal. HTTP response headers or cookies contain user-controlled newline characters are allowed by the agent.If configured, a log message is generated with details of the event.

A log message must be specified with this action.

Examples

The following ARMR http rule switches on the HTTP Header Injection security feature for headers for all HTTP endpoints.

app("HTTP Response Header Injection mod"):
  requires(version: ARMR/2.7)
  http("HTTP header injection protection for all HTTP endpoints - headers"):
    response()
    injection(headers)
    protect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod protects against HTTP response header injection in headers for a single HTTP endpoint.

app("HTTP Response Header Injection mod 2"):
  requires(version: ARMR/2.7)
  http("HTTP header injection protection for specific HTTP endpoint - headers"):
    response(paths: "/webapp/index.jsp")
    injection(headers)
    protect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod detects HTTP response header injection in headers for a multiple HTTP endpoints.

app("HTTP Response Header Injection mod 3"):
  requires(version: ARMR/2.7)
  http("HTTP header injection detection for multiptle HTTP endpoints - headers"):
    response(paths: ["/webapp/testPageA.jsp", "/webapp/testPageB.jsp"])
    injection(headers)
    detect(message: "CRLF injection found in HTTP response headers", severity: 7)
  endhttp
endapp

The following mod protects against HTTP response header injection in cookies for all HTTP endpoints.

app("HTTP Response Header Injection mod 4"):
  requires(version: ARMR/2.7)
  http("HTTP header injection protection for all HTTP endpoints - cookies"):
    response()
    injection(cookies)
    protect(message: "CRLF injection found in HTTP response cookies", severity: 7)
  endhttp
endapp

Logging On/Off Example

The following mod protects against HTTP response header injection in headers for all HTTP endpoints. Logging is switched ON. As the message attribute is defined as an empty string (""), a default message will be included in the security event msg extension.

app("HTTP Response Header Injection mod 5"):
  requires(version: ARMR/2.7)
  http("HTTP header injection protection. Logging ON"):
    response()
    injection(headers)
    protect(message: "", severity: 7)
  endhttp
endapp

The following mod protects against HTTP response header injection in headers for all HTTP endpoints. Logging is switched OFF by the omission of the action message attribute.

app("HTTP Response Header Injection mod 6"):
  requires(version: ARMR/2.7)
  http("HTTP header injection protection. Logging OFF"):
    response()
    injection(headers)
    protect(severity: 7)
  endhttp
endapp