CWE - CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax (2.1)

Home > CWE List > CWE- Individual Dictionary Definition (2.1)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS
CWRAF
T-Shirt

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Coverage Claims Representation
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

Improper Neutralization of HTTP Headers for Scripting Syntax

Weakness ID: 644 (Weakness Variant)

Status: Incomplete

Description

Description Summary

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Extended Description

An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled.

If an application does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Common Consequences

Scope	Effect
Integrity Confidentiality Availability	Technical Impact: Execute unauthorized code or commands Run arbitrary code.
Confidentiality	Technical Impact: Read application data Attackers may be able to obtain sensitive information.

Likelihood of Exploit

High

Enabling Factors for Exploitation

Script execution functionality is enabled in the user's browser.

Demonstrative Examples

Example 1

In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser.

(Bad Code)

Example Language: Java

response.addHeader(HEADER_NAME, untrustedRawInputData);

Observed Examples

Reference	Description
CVE-2006-3918	Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.

Potential Mitigations

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Disable script execution functionality in the clients' browser.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	116	Improper Encoding or Escaping of Output	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	442	Web Problems	Development Concepts699
ChildOf	Category	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws	Weaknesses in OWASP Top Ten (2004) (primary)711

Content History

Submissions
Submission Date	Submitter	Organization	Source
2008-01-30	Evgeny Lebanidze	Cigital	External Submission
2008-01-30
Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Sean Eidemiller	Cigital	External
2008-07-01	added/updated demonstrative examples
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common_Consequences, Relationships, Observed_Example
2008-10-14	CWE Content Team	MITRE	Internal
2008-10-14	updated Description, Name, Observed_Examples, Relationships
2009-03-10	CWE Content Team	MITRE	Internal
2009-03-10	updated Relationships
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Description, Name
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Common_Consequences
2010-04-05	CWE Content Team	MITRE	Internal
2010-04-05	updated Description, Name
2010-06-21	CWE Content Team	MITRE	Internal
2010-06-21	updated Demonstrative_Examples, Description, Observed_Examples
2010-12-13	CWE Content Team	MITRE	Internal
2010-12-13	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE	Internal
2011-03-29	updated Description
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
Previous Entry Names
Change Date	Previous Entry Name
2008-10-14	Insufficient Filtering of HTTP Headers for Scripting Syntax

2009-05-27	Insufficient Sanitization of HTTP Headers for Scripting Syntax

2010-04-05	Improper Sanitization of HTTP Headers for Scripting Syntax

Page Last Updated: September 12, 2011


	CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us