| Details | |
|---|---|
| Alert ID | 40003 |
| Alert Type | Active |
| Status | release |
| Risk | Medium |
| CWE | 113 |
| WASC | 25 |
| Technologies Targeted | All |
| Tags |
CWE-113 OWASP_2017_A01 OWASP_2021_A03 WSTG-V42-INPV-15 |
| More Info |
Scan Rule Help |
Summary
Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist.
Solution
Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF.Other Info
References
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- https://cwe.mitre.org/data/definitions/113.html