logo

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when an application accepts user-supplied data and includes it directly in HTTP headers without properly filtering out carriage return (CR) and line feed (LF) characters. This allows an attacker to inject new headers or split a single HTTP response into two separate responses, corrupting the intended communication flow.

Extended Description

HTTP request/response splitting happens when untrusted data, often from user input in an HTTP request, flows into an outgoing HTTP response header without validation. Attackers can inject CR (%0d or \r) and LF (%0a or \n) characters—or other separators like tabs and spaces—to break the header structure. The receiving agent (like a browser or proxy) then interprets the injected characters as the end of one header and the start of a new one, effectively splitting a single response into two distinct, attacker-influenced messages. This manipulation of the HTTP stream enables several serious attacks. By controlling the second, forged response, an attacker can perform cross-site scripting (XSS), poison web caches to serve malicious content to other users, or trick the server into making unauthorized internal requests (SSRF). The core issue is a failure to sanitize separator characters before data is placed in headers, breaking the trust between interconnected HTTP components like servers, proxies, and browsers.
Common Consequences 1
Scope: IntegrityAccess Control

Impact: Modify Application DataGain Privileges or Assume Identity

CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the message that the application intends to send/receive, as well as allowing them to create additional messages entirely under their control.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 4
Phase: Implementation

Strategy: Input Validation

Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Phase: Implementation

Strategy: Output Encoding

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Phase: Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (Incorrect Behavior Order: Validate Before Canonicalize). Make sure that the application does not decode the same input twice (Double Decoding of the Same Data). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Demonstrative Examples 5

ID : DX-224

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

Code Example:

Bad
Java
java
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

Code Example:

Result
bash
However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as

Code Example:

Attack
bash
then the HTTP response would be split into two responses of the following form:

Code Example:

Result
bash
The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including:
- cross-user defacement - web and browser cache poisoning - cross-site scripting - page hijacking
An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server.
Cross-User Defacement can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server. - In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application. - In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.
The impact of a maliciously constructed response can be magnified if it is cached, either by a web cache used by multiple users or even the browser cache of a single user.
Cache Poisoning: if a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although the user of the local browser instance will be affected.
Once attackers have control of the responses sent by an application, they have a choice of a variety of malicious content to provide users.
Cross-Site Scripting: cross-site scripting is common form of attack where malicious JavaScript or other code included in a response is executed in the user's browser. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site. The most common and dangerous attack vector against users of a vulnerable application uses JavaScript to transmit session and authentication information back to the attacker who can then take complete control of the victim's account.
In addition to using a vulnerable application to send malicious content to a user, the same weakness can also be leveraged to redirect sensitive content generated by the server to the attacker instead of the intended user.
Page Hijacking: by submitting a request that results in two responses, the intended response from the server and the response generated by the attacker, an attacker can cause an intermediate node, such as a shared proxy server, to misdirect a response generated by the server to the attacker instead of the intended user. Because the request made by the attacker generates two responses, the first is interpreted as a response to the attacker's request, while the second remains in limbo. When the user makes a legitimate request through the same TCP connection, the attacker's request is already waiting and is interpreted as a response to the victim's request. The attacker then sends a second request to the server, to which the proxy server responds with the server generated request intended for the victim, thereby compromising any sensitive information in the headers or body of the response intended for the victim.
Observed Examples 8
CVE-2020-15811Chain: Proxy uses a substring search instead of parsing the Transfer-Encoding header (Incorrect Comparison), allowing request splitting (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')) and cache poisoning
CVE-2021-41084Scala-based HTTP interface allows request splitting and response splitting through header names, header values, status reasons, and URIs
CVE-2018-12116Javascript-based framework allows request splitting through a path option of an HTTP request
CVE-2004-2146Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1656Shopping cart allows HTTP response splitting to perform HTML injection via CRLF in a parameter for a url
CVE-2005-2060Bulletin board allows response splitting via CRLF in parameter.
CVE-2004-2512Response splitting via CRLF in PHPSESSID.
CVE-2005-1951e-commerce app allows HTTP response splitting using CRLF in object id parameters
References 3
OWASP TOP 10
OWASP
18-05-2007
https://github.com/owasp-top/owasp-top-2007
ID: REF-43
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
HTTP Request Splitting
Robert Auger
01-02-2011
http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting
ID: REF-1272
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
Web Based : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Alternate Terms

HTTP Request Splitting

HTTP Response Splitting
Related Weaknesses
ChildOf: Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
CanPrecede: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
ChildOf: Improper Input Validation (CWE-20)
ChildOf: Interpretation Conflict (CWE-436)
Taxonomy Mapping
  • PLOVER
  • 7 Pernicious Kingdoms
  • WASC
  • Software Fault Patterns