CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands
说明: Run arbitrary code.
影响范围: Confidentiality
技术影响: Read Application Data
说明: Attackers may be able to obtain sensitive information.
潜在缓解措施
阶段: Architecture and Design
描述: Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.
阶段: Architecture and Design
描述: Disable script execution functionality in the clients' browser.
观察示例
参考: CVE-2006-3918
Web server does not remove the Expect header from an HTTP request when it is reflected back in an error message, allowing a Flash SWF file to perform XSS attacks.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| Software Fault Patterns | SFP24 | Tainted input to command | - |