TID-325: HTTP Injection/Response Splitting

Threat Description

The device uses HTTP headers that are unencrypted, not-validated, and/or unauthenticated. This means that the device may accept and process arbitrary data coming to the receiving web-server over the network. Threat actors may therefore be able to inject their own information into the header, possibly using their input to get more information than they should have access to or exploiting a vulnerability on the receiving device.

Threat Maturity and Evidence

Proof of Concept
“Divide and Conquer”: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics White paper
This white paper describes the outlines of how an HTTP Response Splitting attack can take place, the follow-up attacks that are possible, and the impact they can have on machines. He conducts sample attacks in a lab environment.

CWE

CVE

Cogent DataHub XSS and CRLF - CVE-2012-0310
“An HTTP header injection vulnerability (also known as carriage return line feed) exists in the Cogent DataHub application as the product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.”