Welcome to mirror list, hosted at ThFree Co, Russian Federation.

113.1.md « checks « dast « application_security « user « doc - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/checks/113.1.md
blob: 44c3be330f29438987ee976211b5ab1b33b28e2c (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---

# Improper Neutralization of CRLF Sequences in HTTP Headers

## Description

By inserting Carriage Return / Line Feed (CRLF) characters, malicious users could potentially inject arbitrary data into HTTP responses. By modifying HTTP responses, attackers could conduct cross-site scripting or cache poisoning attacks against other users of the system.

## Remediation

User input should never be used in constructing HTTP header responses without some form
of validation against newlines. This includes URLs supplied by the user for HTTP redirects.

## Details

| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 113.1 | false | 113 | Active | high |

## Links

- [OWASP](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
- [CWE](https://cwe.mitre.org/data/definitions/113.html)
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 15:35:01 +0300