ABSTRACT

Disabling header checking opens the door for attackers to perform header manipulation attacks such as HTTP Response Splitting.

EXPLANATION

By default, the .NET framework prevents new line characters from being sent to APIs that set header values. However, this behavior can be disabled in configuration files by setting the enableHeaderChecking attribute on the <httpRuntime> tag to false.
When this check is disabled, code that allows user input to reach header setting APIs is vulnerable to attacks like HTTP Response Splitting.



REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[4] Standards Mapping - FIPS200 - (FISMA) CM

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 113

[6] httpRuntime Element Microsoft

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10