WAF 390712

From Atomicorp Wiki
Revision as of 11:20, 20 November 2015 by Mshinn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Rule ID

390712

Status

Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Possible HTTP Response Splitting Attack

Description

This rule detects possible HTTP response splitting attacks. These types of attacks work by making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard (RFC 2616), headers are separated by one CRLF and the response's headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.


False Positives

It is not recommended that you disable this rule if you have a false positive. If you believe this is a false positive, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.


Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Retrieved from "https://wiki.atomicorp.com/wiki/index.php?title=WAF_390712&oldid=5601"
Personal tools