Details | |
---|---|
Alert ID | 40003 |
Alert Type | Active |
Status | release |
Risk | Medium |
CWE | 113 |
WASC | 25 |
Technologies Targeted | All |
Tags |
CWE-113 OWASP_2017_A01 OWASP_2021_A03 POLICY_API POLICY_DEV_FULL POLICY_QA_FULL POLICY_SEQUENCE WSTG-V42-INPV-15 |
More Info |
Scan Rule Help |
Summary
Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist.
Solution
Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF.Other Info
References
- https://owasp.org/www-community/vulnerabilities/CRLF_Injection
- https://cwe.mitre.org/data/definitions/113.html