generic.nginx.security.header-injection.header-injection
Community Favorite
returntocorpAuthor
81,049
Download Count*
License
The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\s]+'.
Run Locally
Run in CI
Defintion
rules:
- id: header-injection
pattern: |
location ... <$VARIABLE> ... {
...
add_header ... $$VARIABLE
...
}
paths:
include:
- "*.conf"
- "*.vhost"
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: ERROR
message: "The $$VARIABLE path parameter is added as a header in the response.
This could allow an attacker to inject a newline and add a new header into
the response. This is called HTTP response splitting. To fix, do not allow
whitespace in the path parameter: '[^\\s]+'."
metadata:
cwe:
- "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
('HTTP Request/Response Splitting')"
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
category: security
technology:
- nginx
confidence: MEDIUM
owasp:
- A03:2021 - Injection
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
header-injection.conf
server {
listen 80 default;
# ruleid: header-injection
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
return 200 "OK";
}
# ok: header-injection
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $request_uri;
return 200 "OK";
}
}
Short Link: https://sg.run/7oj4