/
header-injection.yaml
38 lines (38 loc) · 1.03 KB
/
header-injection.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
rules:
- id: header-injection
pattern: |
location ... <$VARIABLE> ... {
...
add_header ... $$VARIABLE
...
}
paths:
include:
- '*.conf'
- '*.vhost'
- sites-available/*
- sites-enabled/*
languages:
- generic
severity: ERROR
message: >-
The $$VARIABLE path parameter is added as a header in the response.
This could allow an attacker to inject a newline and add a new header into the response.
This is called HTTP response splitting.
To fix, do not allow whitespace in the path parameter: '[^\s]+'.
metadata:
cwe:
- "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"
references:
- https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
category: security
technology:
- nginx
confidence: MEDIUM
owasp:
- A03:2021 - Injection
subcategory:
- audit
likelihood: LOW
impact: MEDIUM