Improper Neutralization of HTTP Headers for Scripting Syntax

Incomplete Variant

Structure: Simple

Description

This vulnerability occurs when an application fails to properly sanitize or escape user-controlled data placed within HTTP response headers. Malicious scripting syntax can then be injected and executed by client-side components like Flash that process raw headers.

Extended Description

Attackers can exploit this weakness to launch cross-site scripting (XSS) attacks against users. When a browser or plugin processes a tainted HTTP header, embedded scripts run within the victim's browser context, potentially stealing session cookies, defacing websites, or performing actions on the user's behalf. Preventing this requires strict validation and encoding of all data before it is inserted into any HTTP response header, not just the body. Developers must account for various encoding schemes attackers might use to bypass filters. This control is essential for blocking both XSS and related HTTP response splitting attacks.

Common Consequences 2

Scope: IntegrityConfidentialityAvailability

Impact: Execute Unauthorized Code or Commands

Run arbitrary code.

Scope: Confidentiality

Impact: Read Application Data

Attackers may be able to obtain sensitive information.

Potential Mitigations 2

Phase: Architecture and Design

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Phase: Architecture and Design

Disable script execution functionality in the clients' browser.

Demonstrative Examples 1

In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser.

Code Example:Bad
Java
java

Observed Examples 1

CVE-2006-3918Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.

Likelihood of Exploit

High

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Web Based : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Encoding or Escaping of Output (CWE-116)

Taxonomy Mapping

Software Fault Patterns