CWE - CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax (3.4.1)

Weakness ID: 644

Abstraction: Variant
Structure: Simple

Status: Incomplete

Presentation Filter:

Description

The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Extended Description

An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled.

If an application does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account.

Relationships

The table(s) below shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

Relevant to the view "Research Concepts" (CWE-1000)

Nature	Type	ID	Name
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	116	Improper Encoding or Escaping of Output

Relevant to the view "Development Concepts" (CWE-699)

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	442	Web Problems
ChildOf	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More general than a Base weakness.	116	Improper Encoding or Escaping of Output

Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the software life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase	Note
Architecture and Design
Implementation

Applicable Platforms

The listings below show possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.

Languages

Class: Language-Independent (Undetermined Prevalence)

Common Consequences

The table below specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Integrity Confidentiality Availability	Technical Impact: Execute Unauthorized Code or Commands Run arbitrary code.
Confidentiality	Technical Impact: Read Application Data Attackers may be able to obtain sensitive information.

Likelihood Of Exploit

High

Demonstrative Examples

Example 1

In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser.

(bad code)

Example Language: Java

response.addHeader(HEADER_NAME, untrustedRawInputData);

Observed Examples

Reference	Description
CVE-2006-3918	Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.

Potential Mitigations

Phase: Architecture and Design

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Phase: Architecture and Design

Disable script execution functionality in the clients' browser.

Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature	Type	ID	Name
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
MemberOf	Category - a CWE entry that contains a set of other entries that share a common characteristic.	990	SFP Secondary Cluster: Tainted Input to Command

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
Software Fault Patterns	SFP24		Tainted input to command

Content History

Submissions
Submission Date	Submitter	Organization
2008-01-30	Evgeny Lebanidze	Cigital
2008-01-30
Modifications
Modification Date	Modifier	Organization
2008-07-01	Sean Eidemiller	Cigital
2008-07-01	added/updated demonstrative examples
2008-09-08	CWE Content Team	MITRE
2008-09-08	updated Common_Consequences, Relationships, Observed_Example
2008-10-14	CWE Content Team	MITRE
2008-10-14	updated Description, Name, Observed_Examples, Relationships
2009-03-10	CWE Content Team	MITRE
2009-03-10	updated Relationships
2009-05-27	CWE Content Team	MITRE
2009-05-27	updated Description, Name
2009-10-29	CWE Content Team	MITRE
2009-10-29	updated Common_Consequences
2010-04-05	CWE Content Team	MITRE
2010-04-05	updated Description, Name
2010-06-21	CWE Content Team	MITRE
2010-06-21	updated Demonstrative_Examples, Description, Observed_Examples
2010-12-13	CWE Content Team	MITRE
2010-12-13	updated Common_Consequences
2011-03-29	CWE Content Team	MITRE
2011-03-29	updated Description
2011-06-01	CWE Content Team	MITRE
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE
2012-05-11	updated Relationships
2012-10-30	CWE Content Team	MITRE
2012-10-30	updated Potential_Mitigations
2014-07-30	CWE Content Team	MITRE
2014-07-30	updated Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Applicable_Platforms, Enabling_Factors_for_Exploitation
Previous Entry Names
Change Date	Previous Entry Name
2008-10-14	Insufficient Filtering of HTTP Headers for Scripting Syntax

2009-05-27	Insufficient Sanitization of HTTP Headers for Scripting Syntax

2010-04-05	Improper Sanitization of HTTP Headers for Scripting Syntax


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2006-2020, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy Policy Terms of Use Site Map Contact Us

Common Weakness Enumeration

CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax