Skip to content

Commit daa31b5

Browse files
joefarebrotherjoefarebrother
committed
Add documentation
1 parent 8636a50 commit daa31b5

File tree

4 files changed

+58
-35
lines changed

4 files changed

+58
-35
lines changed

python/ql/src/Security/CWE-113/HeaderInjection.qhelp

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
6+
<overview>
7+
<p>Directly writing user input (for example, an HTTP request parameter) to an HTTP header
8+
can lead to an HTTP response-splitting vulnerability.</p>
9+
10+
<p>If user-controlled input is used in an HTTP header that allows line break characters, an attacker can
11+
inject additional headers or control the response body, leading to vulnerabilities such as XSS or cache poisoning.
12+
</p>
13+
14+
</overview>
15+
16+
<recommendation>
17+
Ensure that user input containing line break characters is not written to an HTTP header.
18+
</recommendation>
19+
20+
<example>
21+
In the following example, the case marked BAD writes user input to the header name.
22+
In the GOOD case, input is first escaped to not contain any line break characters.
23+
<sample src="examples/header_injection.py" />
24+
</example>
25+
26+
<references>
27+
<li>
28+
SecLists.org: <a href="https://seclists.org/bugtraq/2005/Apr/187">HTTP response splitting</a>.
29+
</li>
30+
<li>
31+
OWASP:
32+
<a href="https://www.owasp.org/index.php/HTTP_Response_Splitting">HTTP Response Splitting</a>.
33+
</li>
34+
<li>
35+
Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>.
36+
</li>
37+
<li>
38+
CAPEC: <a href="https://capec.mitre.org/data/definitions/105.html">CAPEC-105: HTTP Request Splitting</a>
39+
</li>
40+
</references>
41+
</qhelp>

python/ql/src/Security/CWE-113/examples/header_injection.py

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
@app.route("/example_bad")
2+
def example_bad():
3+
rfs_header = request.args["rfs_header"]
4+
response = Response()
5+
custom_header = "X-MyHeader-" + rfs_header
6+
# BAD: User input is used as part of the header name.
7+
response.headers[custom_header] = "HeaderValue"
8+
return response
9+
10+
@app.route("/example_good")
11+
def example_bad():
12+
rfs_header = request.args["rfs_header"]
13+
response = Response()
14+
custom_header = "X-MyHeader-" + rfs_header.replace("\n", "").replace("\r","").replace(":","")
15+
# GOOD: Line break characters are removed from the input.
16+
response.headers[custom_header] = "HeaderValue"
17+
return response

python/ql/src/experimental/Security/CWE-113/HeaderInjection.qhelp

Lines changed: 0 additions & 26 deletions
This file was deleted.

python/ql/src/experimental/Security/CWE-113/header_injection.py

Lines changed: 0 additions & 9 deletions
This file was deleted.

0 commit comments

Comments
 (0)