HTTP Splitting

kotlin.http_splitting

Severity

critical

Resource

Injection

Language

Kotlin

Description

Improper Neutralization of CR/LF Sequences in HTTP Headers ('HTTP Request/Response Splitting').

HTTP response splitting occurs when user input is unsafely incorporated into HTTP response headers. Attackers exploit these vulnerabilities by injecting CR/LF (Carriage Return plus Line Feed) characters, effectively splitting the HTTP response into two separate responses.

This vulnerability is often referred to as HTTP Header Manipulation.

Rationale

Here is a simplified example of the vulnerability:

import javax.servlet.http.HttpServlet
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse

class VulnerableServlet : HttpServlet() {
    override fun doGet(request: HttpServletRequest, response: HttpServletResponse) {
        val userInput = request.getParameter("user")
        // Potentially vulnerable if user input is not sanitized
        response.setHeader("Location", "http://example.com/welcome.jsp?user=$userInput")
    }
}

In the example above, if the user parameter is not properly sanitized, an attacker can inject an input like "John%0D%0ASet-Cookie:%20SESSIONID=malicious" allowing them to split the HTTP response and perform malicious actions.

HTTP response splitting can lead to serious security concerns such as:

Cross-Site Scripting (XSS): Leveraging the split response to inject script content into another user’s browser.
Web Cache Poisoning: Exploiting vulnerable proxy servers or caching mechanisms to cache a poisoned response.
Session Fixation: Forcing a user into a session where the session ID is specified by the attacker.

Mitigating this requires diligent input validation and proper handling of HTTP headers to ensure that malicious headers cannot be injected.

Remediation

Kotlin provides java.net.URLEncoder to safely encode input, when it is used to construct URLs added to HTTP headers. This can be used as follows:

import java.net.URLEncoder
import javax.servlet.http.HttpServlet
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse

class SafeServlet : HttpServlet() {
    override fun doGet(request: HttpServletRequest, response: HttpServletResponse) {
        val userInput = request.getParameter("user")
        // Properly encode potentially unsafe user input
        val safeUserInput = URLEncoder.encode(userInput, "UTF-8")
        response.setHeader("Location", "http://example.com/welcome.jsp?user=$safeUserInput")
    }
}

If it is not possible to use untrusted input in HTTP headers, consider the following strategies to avoid HTTP response splitting:

Input Validation: Ensure all user inputs are validated and sanitized before inclusion in HTTP response headers. Either filter out or encode CR/LF characters, or better use a strict whitelist validation to enforce the expected data format for the header.
Output Encoding: Properly encode or replace any special characters in user input embedded within HTTP headers.
Library and Framework Use: Utilize security libraries for validation. Some frameworks include built-in protection against CR/LF injection in HTTP headers.
Security Testing: Implement automatic security testing mechanisms such as Static Application Security Testing (SAST) tools to detect HTTP response splitting vulnerabilities during the development phase.

By validating input, encoding output, and leveraging security libraries, the risk of HTTP response splitting can be significantly reduced in Kotlin applications.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-113 : Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting').
OWASP Top 10 2021 - A03 : Injection.
HTTP Response Splitting attack.