[WEB SECURITY] Classification of HTTP Response Splitting vulnerabilities
Steven M. Christey
coley at rcf-smtp.mitre.org
Mon Mar 21 15:19:34 EDT 2011
On Mon, 21 Mar 2011, Tim wrote:
> HTTP Response Splitting isn't a vulnerability. It is an attack. The
> vulnerability is HTTP header injection. This is clear from your example:
> You injected a header, you did not split the response into multiple
I agree that "HTTP response splitting" is more of an attack than a
vulnerability, but I still think the "HTTP header injection" term is
attack-oriented - or, alternately, oriented towards "technical impact" or
consequence (the attacker is "injecting" headers).
The vulnerability is in allowing header-separator sequences (in this
syntactic context, CRLF) to be entered into header metadata, stemming from
a combination of one or more "weaknesses" typically involving
missing/incorrect input validation, and/or missing/incorrect ouptput
encoding (which depends on the specific code's implementation/design
combined with the programmer's intention, and as indirectly influenced in
interpretation of the core issue based on which fix is selected even
though most vulns/weaknesses have multiple different potential fixes,
which suggest that solely fix-oriented classification is also faulty.)
> I think it is important to nail down correctly descriptive terminology
> so people have an easier time understanding the core issue.
I agree as well, but I think it's pretty difficult to get this stuff
right, and to develop terminology that is supported, accessible, and
understandable to all. Meanwhile there is the reality that catchy attack
names often serve as the shorthand for the less-catchy-sounding errors
that enable the attacks to take place.
Just some food for thought :-) Collectively, we have a long way to go,
and discussions like this can be informative.
More information about the websecurity