Improper Sanitization of HTTP Headers for Scripting Syntax
Weakness ID: 644 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The application does not sanitize or incorrectly sanitizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Extended Description

If an application fails to filter or escape user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity

Run Arbitrary Code

Confidentiality

Information Leakage

+ Likelihood of Exploit

High

+ Enabling Factors for Exploitation

Script execution functionality is enabled in the user's browser.

+ Demonstrative Examples

Example 1

In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to sanitization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser.

(Bad Code)
Example Language: Java 
response.addHeader(HEADER_NAME, unsanitizedInputData);
+ Observed Examples
ReferenceDescription
CVE-2006-3918Web server does not sanitize the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.
+ Potential Mitigations

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Disable script execution functionality in the clients' browser.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class116Improper Encoding or Escaping of Output
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory442Web Problems
Development Concepts699
ChildOfCategoryCategory725OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
Weaknesses in OWASP Top Ten (2004) (primary)711
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-01-30Evgeny LebanidzeCigitalExternal Submission
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Observed Example
2008-10-14CWE Content TeamMITREInternal
updated Description, Name, Observed Examples, Relationships
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2009-10-29CWE Content TeamMITREInternal
updated Common Consequences
Previous Entry Names
Change DatePrevious Entry Name
2008-10-14Insufficient Filtering of HTTP Headers for Scripting Syntax
2009-05-27Insufficient Sanitization of HTTP Headers for Scripting Syntax
Back to top