CWE-113 HTTP Response Splitting
Coverage: 23 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 23 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged untrusted input being used in HTTP headers or redirect locations without proper sanitization. Attackers can inject CRLF sequences (\r\n) and potentially add/modify headers.
Why it matters
Attackers can inject CRLF sequences to split responses or set malicious headers.
- Set-Cookie injection: attacker can set cookies for your domain in some cases.
- Cache poisoning: injected headers can change caching behavior.
- Redirect/header manipulation: can be chained into phishing or XSS depending on context.
Safer examples
1) Never put raw user input into headers
Use server-generated values or allowlists.
2) Validate and sanitize header values
Reject values containing \r or \n and enforce allowed character sets.
3) Use framework helpers
Framework response APIs often normalize headers safely; avoid manual header concatenation.
How SiteShadow detects it (high level)
- Flags header-setting APIs (
setHeader,header,Location) using request-derived values. - Detects patterns that allow CRLF injection into headers.
References
- CWE-113: https://cwe.mitre.org/data/definitions/113.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.