CRITICAL
Rule Definition
The risk of a header injection depends hugely on your environment.
If your webserver supports something like XSendFile / X-Accel, an attacker could potentially access arbitrary files on the systems.
If your system does not do that, there may be other concerns, such as:
- Cookie Injection
- Open Redirects
- Proxy Cache Poisoning
Remediation
Make sure only the value and not the key can be set by an attacker. (e.g. header('Location: ' . $_GET['target']);)
Verify the set values are sensible. Consider using an allow list. (e.g. for redirections)
Violation Code Sample
<?php
header($_GET['header']);
Fixed Code Sample
<?php
/**
* @psalm-taint-escape header
*/
function my_escaping_function_for_headers(string input) : string {
// Check that input is part of a hard-coded white-list of permitted headers
};
$escaped_header = my_escaping_function_for_headers($_GET['header']); // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape header
header("Location: " . $escaped_header); // FIXED
Reference
Unvalidated Redirects and Forwards Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
OWASP Wiki for Cache Poisoning
https://owasp.org/www-community/attacks/Cache_Poisoning
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
https://cwe.mitre.org/data/definitions/601.html
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
https://cwe.mitre.org/data/definitions/644.html
Related Technologies
Technical Criterion
Secure Coding - Input Validation
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.