java.lang.security.audit.http-response-splitting.http-response-splitting
Community Favorite
semgrep
Author
73,396
Download Count*
License
Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.
Run Locally
Run in CI
Defintion
rules:
- id: http-response-splitting
metadata:
cwe:
- "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
('HTTP Request/Response Splitting')"
owasp:
- A03:2021 - Injection
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING
references:
- https://www.owasp.org/index.php/HTTP_Response_Splitting
category: security
technology:
- java
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Validation
message: Older Java application servers are vulnerable to HTTP response
splitting, which may occur if an HTTP request can be injected with CRLF
characters. This finding is reported for completeness; it is recommended
to ensure your environment is not affected by testing this yourself.
severity: INFO
languages:
- java
pattern-either:
- pattern: |
$VAR = $REQ.getParameter(...);
...
$COOKIE = new Cookie(..., $VAR, ...);
...
$RESP.addCookie($COOKIE, ...);
- patterns:
- pattern-inside: |
$RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {
...
}
- pattern: |
$COOKIE = new Cookie(..., $VAR, ...);
...
$RESP.addCookie($COOKIE, ...);
Examples
http-response-splitting.java
@Controller
@RequestMapping("/api/test")
public class TestController {
@RequestMapping(method = RequestMethod.GET)
@PreAuthorize(Permissions.ADMIN)
@ResponseBody
public void list(HttpServletRequest request, HttpServletResponse response) {
// ruleid:http-response-splitting
String author = request.getParameter(AUTHOR_PARAMETER);
Cookie cookie = new Cookie("author", author);
response.addCookie(cookie);
}
@RequestMapping(value = "/{name}", method = RequestMethod.POST)
@PreAuthorize(Permissions.USER)
@ResponseBody
public void load(@PathVariable final String name, HttpServletResponse response) throws APIException {
// ruleid:http-response-splitting
Cookie cookie = new Cookie("author", name);
response.addCookie(cookie);
}
private Response safe(String name, Response response) {
// ok:http-response-splitting
Cookie cookie = new Cookie("author", name);
response.addCookie(cookie);
return response;
}
@RequestMapping(value = "/{name}/{book}", method = RequestMethod.POST)
@PreAuthorize(Permissions.USER)
@ResponseBody
public void loadBook(@PathVariable final String name, @PathVariable final String book, HttpServletResponse response) throws APIException {
AuthorObj author = AuthorObj.getAuthor(name, book);
// ok:http-response-splitting
Cookie cookie = new Cookie("sess", "1234");
response.addCookie(cookie);
}
}
Short Link: https://sg.run/eL0l