The application is vulnerable to HTTP header injection. HTTP header injection is a vulnerability that results from the failure to sanitize input values that are used to populate HTTP header values. An attacker can inject a carriage return and line feed into the header in order to manipulate the response. The HTTP standard RFC 2616 defines headers as being separated by a single CRLF and headers from the body by two. The vulnerability allows the attacker to rewrite responses in order to to perform a number of different attacks against users.
An attacker who can insert a CRLF into a header and rewrite responses can attack users in a number of ways. An attacker in control of the HTTP response can insert HTML in order to deface a website. Defacing a website could include adding content that poses a reputational risk to the organization. The content could also include cross-site scripting attacks or redirects to malicious websites. HTTP header injection can also enable HTTP response splitting attacks that poison a web cache and magnify the impact across multiple users.
How To Test
Sample Report Screenshots