What is it and why should I care?
HTTP Header Injection is a specific injection attack that affects HTTP headers. It involves being able to manipulate the header data to cause various problems (response splitting, CRLF injection, cache poisoning, XSS, etc.). In general, it’s a lesser known and understood attack, which is usually a recipe for minimal protection in applications to prevent it, and that is certainly the case with header injection.
Likely the most common would be CRLF injection (Carriage Return [%0d or \r] Line Feed [%0a or \n]), which involves adding the CRLF to the header, which results in proxy servers/caches/browsers mis-interpreting the response in an insecure manner, and gives the attacker control of part or all of the “split” response. This can lead to the other issues mentioned above.
What should I do about it?
The recommendation for header injection is the same as that for all injections – validate and encode. For header injection specifically, you should ensure that you:
1. Canonicalize – make sure the data is in its’ simplest form before validation.
2. Validate – perform whitelist (only allow these few good characters) validation as opposed to blacklist (only reject these few bad characters) validation. Validation should ensure you don’t allow CR/LF characters in any encoded form.
3. Encode – encode the resulting output if necessary. If your input validation is tight enough, this step is just a layered defense, but you should encode in case anything ever slips by validation for some reason. Again, take special care to encode CR/LF here.