Example of HTTP header Injection Vulnerability

The header file containing unverified data in the HTTP response will cause cache-signing oning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation, or open redirect.
 
 
Principle of HTTP header Injection Vulnerability
 
The HTTP header injection vulnerability may occur in the following cases: 1. Data enters the Web application through an untrusted data source, the most common is HTTP requests. 2. The data is contained in an HTTP response header file and sent to the Web user without verification.
 
The most common Header Manipulation attack is HTTP Response Splitting. In order to successfully implement Http Response Splitting stealing, the application must allow those containing CR (carriage return, specified by % 0d or \ r) and LF (line feed, specified by % 0a or \ n.
 
Using these characters, attackers can not only control the remaining header file and body of the response to be sent by the application, but also create other responses completely under its control.
 
HTTP header injection vulnerability instance www.2cto.com
 
<? Php
$ Location = $ _ GET ['some _ location'];
Header ("location: $ location ");
?>
Assuming that a string consisting of standard letters and numbers is submitted in the request, such as "index.html", the HTTP Response containing the cookie may be in the following form:
HTTP/1.1 200 OK
...
Location: index.html
...
However, because the value of this location is composed of unauthenticated user input, the response is retained only when the value submitted to some_location does not contain any CR or LF characters.
If the attacker submits a malicious string, for example:
"Index.html \ r \ nHTTP/1.1 200 OK \ r \ n ...",
Then the HTTP response is divided into two responses in the following form:
HTTP/1.1 200 OK
Location: index.html
HTTP/1.1 200 OK
...
Obviously, the second response has been completely controlled by attackers. Attackers can use the required header file and body content to construct the response. Attackers can construct arbitrary HTTP responses to initiate various forms of attacks.
HTTP header injection vulnerability Solution
 
Today, many modern application servers can prevent malicious characters from being infected with HTTP header files.
 
For example, when a new line is passed to the header () function, the latest PHP version generates a warning and stops creating header files. If your PHP version can block header files with line breaks, it can defend against HTTP Response Splitting.
 
Common solutions at the code level:
 
Strictly check whether the variable has been initialized
In the code that sets the HTTP Response Header, filter the line breaks (% 0d % 0a, % 0D % 0A)
Disable external control of parameters in the header () function