CWE-113 HTTP Response Splitting

Description

HTTP Response Splitting

Reference: https://cwe.mitre.org/data/definitions/113.html

OWASP Category: A03:2021 – Injection

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: User input directly in header
String redirectUrl = request.getParameter("url");
response.addHeader("Location", redirectUrl);  // Can inject headers!

// VULNERABLE: User input in cookie
String sessionId = request.getParameter("session");
response.addHeader("Set-Cookie", "sid=" + sessionId);  // CRLF injection!

Why it's vulnerable: This pattern is vulnerable to HTTP Response Splitting

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Strip CR/LF before adding to headers
public static String sanitizeHeader(String value) {
    if (value == null) return null;
    return value.replaceAll("[\\r\\n]", "");  // Remove CR and LF
}

String redirectUrl = request.getParameter("url");
response.addHeader("Location", sanitizeHeader(redirectUrl));

// SECURE: Use URL encoding for URLs
String safeUrl = URLEncoder.encode(redirectUrl, StandardCharsets.UTF_8);

// SECURE: For cookies, use Cookie class which handles encoding
Cookie cookie = new Cookie("sid", sanitizeHeader(sessionId));
cookie.setHttpOnly(true);
cookie.setSecure(true);
response.addCookie(cookie);

// SECURE: Spring's UriComponentsBuilder for redirects
String safeRedirect = UriComponentsBuilder.fromUriString(baseUrl)
    .queryParam("target", redirectUrl)
    .build()
    .toUriString();

Why it's secure: Implements proper protection against HTTP Response Splitting

---

Detection Pattern

Look for these patterns in your codebase:

# Find header operations with user input
grep -rn "addHeader\\|setHeader" --include="*.java" | grep -E "getParameter|request"

---

Remediation Steps

1. Strip \r (CR) and \n (LF) from all header values

2. Use framework's Cookie class instead of raw Set-Cookie

3. URL-encode user input used in URLs

4. Validate header values against expected patterns

---

Key Imports

import java.net.URLEncoder;

import javax.servlet.http.Cookie;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-113 vulnerability
Resolve HTTP Response Splitting issue
Secure this Java code against http response splitting
SAST reports CWE-113

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-113: HTTP Response Splitting

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07