ワンクリックで
sc-header-injection
HTTP Header Injection and Response Splitting detection via CRLF injection in headers
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
HTTP Header Injection and Response Splitting detection via CRLF injection in headers
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-header-injection |
| description | HTTP Header Injection and Response Splitting detection via CRLF injection in headers |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects HTTP header injection vulnerabilities where user-controlled input is placed into HTTP response headers without CRLF character sanitization, enabling response splitting, cookie injection, cache poisoning, and XSS via injected headers. Also covers Host header injection used in password reset poisoning.
Called by sc-orchestrator during Phase 2 when HTTP response handling is detected.
**/*.py, **/*.js, **/*.ts, **/*.go, **/*.php, **/*.java, **/*.cs,
**/controllers/*, **/routes/*, **/handlers/*, **/middleware/*,
**/*redirect*, **/*header*, **/*cookie*, **/*response*
# Setting response headers with potential user input
"res.setHeader(", "res.header(", "response.addHeader(",
"response.setHeader(", "w.Header().Set(", "header(",
"Response.Headers.Add(", "Response.Cookies.Append(",
"Set-Cookie", "Location:", "Content-Disposition",
# Redirect with user input
"res.redirect(", "response.sendRedirect(", "redirect(",
"HttpResponse(.*status=302", "http.Redirect(",
"Response.Redirect("
# Host header usage
"request.getHeader(\"Host\")", "req.headers.host", "req.Host",
"$_SERVER['HTTP_HOST']", "request.META['HTTP_HOST']"
// VULNERABLE: User input in Set-Cookie header
app.get('/lang', (req, res) => {
res.setHeader('Set-Cookie', `lang=${req.query.lang}`);
// Attack: ?lang=en%0d%0aSet-Cookie:%20admin=true
// Injects additional header
});
// SAFE: Validate/encode header values
app.get('/lang', (req, res) => {
const lang = req.query.lang.replace(/[\r\n]/g, '');
res.setHeader('Set-Cookie', `lang=${encodeURIComponent(lang)}`);
});
# VULNERABLE: Using Host header for password reset URL
def password_reset(request):
host = request.META['HTTP_HOST'] # Attacker-controlled!
reset_url = f"https://{host}/reset?token={token}"
send_email(user.email, f"Reset here: {reset_url}")
# SAFE: Use configured server name
def password_reset(request):
reset_url = f"https://{settings.ALLOWED_HOSTS[0]}/reset?token={token}"
// VULNERABLE: User filename in Content-Disposition
func download(w http.ResponseWriter, r *http.Request) {
filename := r.URL.Query().Get("file")
w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", filename))
// Attack: ?file=test%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert(1)</script>
}
// SAFE: Sanitize filename
filename = strings.Map(func(r rune) rune {
if r == '\r' || r == '\n' || r == '"' { return -1 }
return r
}, filename)
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, filename))
Most modern HTTP libraries and frameworks reject CRLF characters in header values:
http.ServerResponse throws on CRLF in header values\r or \nHowever: Some configurations, proxies, or older versions may not enforce this.
\r and \n stripped from user input before header insertion?%0d%0a sequences could add arbitrary headers to the response.res.redirect() in Express URL-encodes the location