I've been looking at this for some time now and draw the conclusion that setting EnableHeaderChecking to true
is in fact good enough to prevent http header injection attacks.
Looking at 'reflected' ASP.NET code, I found that:
- There is only one way to add custom HTTP headers to an HTTP response, namely using the HttpResponse.AppendHeader method
- HttpResponse.AppendHeader either
- creates instances of
HttpResponseHeader
(internal)
- or calls
HttpResponseHeader.MaybeEncodeHeader
(for IIS7WorkerRequests
)
- or assigns its respective properties (for known headers like RedirectLocation or ContentType)
HttpResponseHeader
instances are created before known headers like RedirectLocation or ContentType are sent (HttpResponse.GenerateResponseHeaders
)
- The
HttpResponseHeader
constructor checks the EnableheaderChecking setting and calls HttpResponseHeader.MaybeEncodeHeader
when set to true
HttpResponseHeader.MaybeEncodeHeader
correctly encodes newline characters which makes HTTP header injection attacks impossible
Here is a snippet to roughly demonstrate how I tested:
// simple http response splitting attack
Response.AddHeader("foo", "bar\n" +
// injected http response, bad if user provided
"HTTP/1.1 200 OK\n" +
"Content-Length: 19\n" +
"Content-Type: text/html\n\n" +
"<html>danger</html>"
);
The above only works if you explicitly turn EnableHeaderChecking off:
<httpRuntime enableHeaderChecking="false"/>
Fortify simply doesn't take configuration into account (setting EnableHeaderChecking explicitly had no effect) and thus always reports these type of issues.