|
|
|
CWE-644: Improper Neutralization of HTTP Headers for Scripting SyntaxWeakness ID: 644 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
Description The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. Extended Description An attacker may be able to conduct cross-site scripting and other attacks against users who have these components enabled. If a product does not neutralize user controlled data being placed in the header of an HTTP response coming from the server, the header may contain a script that will get executed in the client's browser context, potentially resulting in a cross site scripting vulnerability or possibly an HTTP response splitting attack. It is important to carefully control data that is being placed both in HTTP response header and in the HTTP response body to ensure that no scripting syntax is present, taking various encodings into account. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Integrity Confidentiality Availability
| Technical Impact: Execute Unauthorized Code or Commands Run arbitrary code. | | Confidentiality
| Technical Impact: Read Application Data Attackers may be able to obtain sensitive information. | |
Potential Mitigations
Phase: Architecture and Design Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header. |
Phase: Architecture and Design Disable script execution functionality in the clients' browser. |
Relationships Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. Likelihood Of Exploit Demonstrative Examples Example 1 In the following Java example, user-controlled data is added to the HTTP headers and returned to the client. Given that the data is not subject to neutralization, a malicious user may be able to inject dangerous scripting tags that will lead to script execution in the client browser. (bad code) Example Language: Java
response.addHeader(HEADER_NAME, untrustedRawInputData);
Observed Examples Reference | Description |
| Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks. |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
Software Fault Patterns | SFP24 | | Tainted input to command |
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2008-01-30 (CWE Draft 8, 2008-01-30) | Evgeny Lebanidze | Cigital | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Sean Eidemiller | Cigital | added/updated demonstrative examples | 2008-09-08 | CWE Content Team | MITRE | updated Common_Consequences, Relationships, Observed_Example | 2008-10-14 | CWE Content Team | MITRE | updated Description, Name, Observed_Examples, Relationships | 2009-03-10 | CWE Content Team | MITRE | updated Relationships | 2009-05-27 | CWE Content Team | MITRE | updated Description, Name | 2009-10-29 | CWE Content Team | MITRE | updated Common_Consequences | 2010-04-05 | CWE Content Team | MITRE | updated Description, Name | 2010-06-21 | CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Observed_Examples | 2010-12-13 | CWE Content Team | MITRE | updated Common_Consequences | 2011-03-29 | CWE Content Team | MITRE | updated Description | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated Relationships | 2012-10-30 | CWE Content Team | MITRE | updated Potential_Mitigations | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2017-11-08 | CWE Content Team | MITRE | updated Applicable_Platforms, Enabling_Factors_for_Exploitation | 2020-02-24 | CWE Content Team | MITRE | updated Applicable_Platforms, Relationships | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2023-01-31 | CWE Content Team | MITRE | updated Description | 2023-04-27 | CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes | Previous Entry Names |
---|
Change Date | Previous Entry Name |
---|
2008-10-14 | Insufficient Filtering of HTTP Headers for Scripting Syntax | | 2009-05-27 | Insufficient Sanitization of HTTP Headers for Scripting Syntax | | 2010-04-05 | Improper Sanitization of HTTP Headers for Scripting Syntax | |
More information is available — Please edit the custom filter or select a different filter.
|