[WEB SECURITY] Classification of HTTP Response Splitting vulnerabilities

Steven M. Christey coley at rcf-smtp.mitre.org
Mon Mar 21 15:19:34 EDT 2011

On Mon, 21 Mar 2011, Tim wrote:

> HTTP Response Splitting isn't a vulnerability.  It is an attack.  The
> vulnerability is HTTP header injection.  This is clear from your example:
>> http://site/page?p=%0AHeader:value
> You injected a header, you did not split the response into multiple
> responses.

I agree that "HTTP response splitting" is more of an attack than a 
vulnerability, but I still think the "HTTP header injection" term is 
attack-oriented - or, alternately, oriented towards "technical impact" or 
consequence (the attacker is "injecting" headers).

The vulnerability is in allowing header-separator sequences (in this 
syntactic context, CRLF) to be entered into header metadata, stemming from 
a combination of one or more "weaknesses" typically involving 
missing/incorrect input validation, and/or missing/incorrect ouptput 
encoding (which depends on the specific code's implementation/design 
combined with the programmer's intention, and as indirectly influenced in 
interpretation of the core issue based on which fix is selected even 
though most vulns/weaknesses have multiple different potential fixes, 
which suggest that solely fix-oriented classification is also faulty.)

> I think it is important to nail down correctly descriptive terminology 
> so people have an easier time understanding the core issue.

I agree as well, but I think it's pretty difficult to get this stuff 
right, and to develop terminology that is supported, accessible, and 
understandable to all.  Meanwhile there is the reality that catchy attack 
names often serve as the shorthand for the less-catchy-sounding errors 
that enable the attacks to take place.

Just some food for thought :-)  Collectively, we have a long way to go, 
and discussions like this can be informative.

- Steve

More information about the websecurity mailing list