CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

Weakness ID: 644
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Extended Description

An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled.

If an application does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Integrity
Confidentiality
Availability

Technical Impact: Execute unauthorized code or commands

Run arbitrary code.

Confidentiality

Technical Impact: Read application data

Attackers may be able to obtain sensitive information.

+ Likelihood of Exploit

High

+ Enabling Factors for Exploitation

Script execution functionality is enabled in the user's browser.

+ Demonstrative Examples

Example 1

In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser.

(Bad Code)
Example Language: Java 
response.addHeader(HEADER_NAME, untrustedRawInputData);
+ Observed Examples
ReferenceDescription
Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.
+ Potential Mitigations

Phase: Architecture and Design

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Phase: Architecture and Design

Disable script execution functionality in the clients' browser.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class116Improper Encoding or Escaping of Output
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory442Web Problems
Development Concepts699
ChildOfCategoryCategory725OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
Software Fault PatternsSFP24Tainted input to command
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2008-01-30Evgeny LebanidzeCigitalExternal Submission
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Observed_Example
2008-10-14CWE Content TeamMITREInternal
updated Description, Name, Observed_Examples, Relationships
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-05-27CWE Content TeamMITREInternal
updated Description, Name
2009-10-29CWE Content TeamMITREInternal
updated Common_Consequences
2010-04-05CWE Content TeamMITREInternal
updated Description, Name
2010-06-21CWE Content TeamMITREInternal
updated Demonstrative_Examples, Description, Observed_Examples
2010-12-13CWE Content TeamMITREInternal
updated Common_Consequences
2011-03-29CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-10-14Insufficient Filtering of HTTP Headers for Scripting Syntax
2009-05-27Insufficient Sanitization of HTTP Headers for Scripting Syntax
2010-04-05Improper Sanitization of HTTP Headers for Scripting Syntax

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017