gitlab.find_sec_bugs.HTTP_RESPONSE_SPLITTING-1
unknown
Download Count*
License
When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as two different HTTP responses (instead of one). An attacker can control the second response and mount attacks such as cross-site scripting and cache poisoning attacks.
Run Locally
Run in CI
Defintion
rules:
- id: find_sec_bugs.HTTP_RESPONSE_SPLITTING-1
mode: taint
pattern-sources:
- pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameter(...);
pattern-sanitizers:
- patterns:
- pattern-inside: |
$STR.replaceAll("$REPLACE_CHAR", "$REPLACER");
...
- pattern: $STR
- metavariable-regex:
metavariable: $REPLACER
regex: .*^(CRLF).*
- metavariable-regex:
metavariable: $REPLACE_CHAR
regex: (*CRLF)
- pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...);
pattern-sinks:
- pattern: new javax.servlet.http.Cookie("$KEY", ...);
- patterns:
- pattern-inside: |
$C = new javax.servlet.http.Cookie("$KEY", ...);
...
- pattern: $C.setValue(...);
message: >
When an HTTP request contains unexpected CR and LF characters, the server
may respond with an
output stream that is interpreted as two different HTTP responses (instead of one). An attacker
can control the second response and mount attacks such as cross-site scripting and cache
poisoning attacks.
languages:
- java
severity: WARNING
metadata:
category: security
cwe: "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting')"
technology:
- java
primary_identifier: find_sec_bugs.HTTP_RESPONSE_SPLITTING-1
secondary_identifiers:
- name: Find Security Bugs-HTTP_RESPONSE_SPLITTING
type: find_sec_bugs_type
value: HTTP_RESPONSE_SPLITTING
license: MIT
Short Link: https://sg.run/jBZ2