Rule Definition
CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control.

Remediation
Use authorized sanitization methods. To avoid the creation of XSS flaws, the Open Web Application Security Project (OWASP) recommends both input validation and "strong output encoding" or sanitization: "Strong output encoding. Ensure that all user-supplied data is appropriately entity encoded (either HTML or XML depending on the output mechanism) before rendering, taking the approach to encode all characters other than a very limited subset. This is the approach of the Microsoft Anti-XSS library or any valid sanitization libraries. Also, set the character encodings for each page you output, which will reduce exposure to some variants."

Violation Code Sample

Sample 1
response.addHeader(HEADER_NAME, rawInputData);

Sample 2
String header = request.getParameter(HEADER_NAME);
// ...
Cookie cookie = new Cookie("header", header);
response.addCookie(cookie);

Fixed Code Sample

Sample 1
// include validation code for rawInputData  --> cleanData
response.addHeader(HEADER_NAME, cleanData);


Sample 2:
String header = request.getParameter(HEADER_NAME);
// ...
// include validation code for header
Cookie cookie = new Cookie("header", header);
response.addCookie(cookie);

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') https://cwe.mitre.org/data/definitions/113.html CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax https://cwe.mitre.org/data/definitions/644.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2007