HTTP Response Splitting¶
ID: py/http-response-splittingKind: path-problemSecurity severity: 6.1Severity: errorPrecision: highTags: - security - external/cwe/cwe-113 - external/cwe/cwe-079Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Directly writing user input (for example, an HTTP request parameter) to an HTTP header can lead to an HTTP response-splitting vulnerability.
If user-controlled input is used in an HTTP header that allows line break characters, an attacker can inject additional headers or control the response body, leading to vulnerabilities such as XSS or cache poisoning.
Recommendation¶
Ensure that user input containing line break characters is not written to an HTTP header.
Example¶
In the following example, the case marked BAD writes user input to the header name. In the GOOD case, input is first escaped to not contain any line break characters.
@app.route("/example_bad")defexample_bad():rfs_header=request.args["rfs_header"]response=Response()custom_header="X-MyHeader-"+rfs_header# BAD: User input is used as part of the header name.response.headers[custom_header]="HeaderValue"returnresponse@app.route("/example_good")defexample_bad():rfs_header=request.args["rfs_header"]response=Response()custom_header="X-MyHeader-"+rfs_header.replace("\n","").replace("\r","").replace(":","")# GOOD: Line break characters are removed from the input.response.headers[custom_header]="HeaderValue"returnresponse
References¶
SecLists.org:HTTP response splitting.
OWASP:HTTP Response Splitting.
Wikipedia:HTTP response splitting.
Common Weakness Enumeration:CWE-113.
Common Weakness Enumeration:CWE-79.