SYM_JAVA_0080 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
User input is being added directly to HTTP cookies without proper validation or encoding. This allows attackers to inject special characters that could manipulate HTTP responses.
Impact
If exploited, an attacker could split or modify HTTP responses, potentially injecting malicious headers or content. This can lead to session hijacking, web cache poisoning, or cross-site scripting attacks, affecting user trust and application security.