Input Validation / HTTP Response Header Injection

Description

HTTP Response Header Injection, also known as HTTP Response Splitting, is an input validation vulnerability that occurs when an attacker is able to inject a malicious payload into an HTTP response header. This type of attack is categorized as an Input Validation vulnerability (CWE-20) and is covered under the OWASP Testing Guide v4. The attacker is able to manipulate the response header of a web application and inject malicious data into the header which will be processed by the web application. This can lead to various types of attacks such as Cross-Site Scripting (XSS) or even the redirection of a user to a malicious website.

Risk

HTTP Response Header Injection is an extremely dangerous vulnerability that can lead to a number of attacks on an application or system. This vulnerability can lead to data theft, malicious code execution, and even the disruption of the entire system. This type of attack also poses a high risk to user data and credentials.

Solution

The best way to protect against HTTP Response Header Injection is to ensure that all user-supplied input is validated and sanitized before being used in any HTTP response. All input should be checked for malicious code and any invalid input should be rejected. Additionally, all user-supplied input should be encoded to prevent any malicious code from being executed.