Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

HTTP Header Injection

DZone's Guide to

HTTP Header Injection

In this post, we take a look at this rather nasty injection attack, and how developers can prevent these types of attacks in their web applications.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Injections are vulnerabilities that occur when an application provides no or a bad user input validation. An attacker can inject malicious data, thus performing non-intended actions in a system. Such vulnerabilities may result in the major SAP risks ( Espionage, Sabotage, and Fraud).

We continue considering Injections from the list that we discussed in our Introduction to Secure ABAP Development Guide.

Earlier we spotlighted the following subtypes of Injections:

  1. SAP SQL Injection
  2. SAP OS Command Injection
  3. ABAP Code Injection

Now it's HTTP Header Injection's turn.

HTTP Header Injection is a vulnerability which appears when Hypertext Transfer Protocol (HTTP) headers are dynamically generated based on a user input. For example, in ABAP the  set_cookie method of the  IF_HTTP_ENTITY class is used for setting a cookie to a browser. If data comes from an untrusted source to a cookie response, it will be possible for an attacker to manipulate a user cookie.

DATA: url TYPE STRING.
 url = request->get_form_field( 'url' ).
 IF url IS NOT INITIAL.
   response->redirect( url ).
   navigation->response_complete( ).
 ENDIF.

author = request->get_form_field( 'author' ).
response->set_cookie( name = 'author' value = author ).

In this case, the data specified by user passes from a request directly to the set_cookie method without filtering. The attacker will be able to take over the user's session and perform actions on his behalf or gain access to sensitive information. It may lead to serious business risks including espionage or fraud.

Remediation

The best remediation for this vulnerability is to avoid storing any confidential data in a cookie. System IDs, hostnames, and non-public IP addresses of target servers can become a target of an attack. If storing such information in a cookie is necessary for your system, use a hash procedure for one-way encryption. In addition, in order to improve the general security level of the system, set the icm/HTTP/logging_0 parameter as LOGFILE=path_to_file to perform the HTTP-requests logging.

Further Steps

Use authority checks to increase the security of your code. It does not guarantee the complete safety as of injections, but it can sometimes prevent attacks. For example, check user access rights before the execution of INSERT REPORT. For this purpose, use the AUTHORITY-CHECK command:

AUTHORITY-CHECK OBJECT 'S_DEVELOP'
    ID 'ACTVT' FIELD '02'
    ID 'DEVCLASS' FIELD devclss
    ID 'OBJNAME' FIELD objname
    ID 'OBJTYPE' FIELD 'PROG'
    ID 'P_GROUP' FIELD *.

IF sy-subrc <> 0.
    LEAVE PROGRAM.
ENDIF.

APPEND u_input TO src.
INSERT REPORT prg_name FROM src.

'ACTVT' is for operations that a user is allowed to execute. Value '02' means that a user has rights to change the program.

This is all for today and we hope the article has clarified all your questions concerning HTTP Header Injection

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,http header injection ,web security ,injection attack

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}