In the 3.6 release of CAPEC last fall, we revamped the four CAPECs related to 
HTTP Splitting and Smuggling after exploring the issues behind those attack 
patterns.  The attack patterns involved are: HTTP Request Splitting - 
CAPEC-105, HTTP Response Splitting - CAPEC-34, HTTP Request Smuggling - 
CAPEC-33 and HTTP Response Smuggling - CAPEC-273.  For more detail on the 
changes we made, see
For the upcoming CWE 4.8 release on June 28, we are planning the revamp of 
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP 
Response Splitting') and CWE-444: Inconsistent Interpretation of HTTP Requests 
('HTTP Request Smuggling').  As you can see, we do not have coverage for 
"Request Splitting" or for "Response Smuggling."  The underlying weakness 
behind splitting is improper neutralization of CR/LF characters, and the 
underlying weakness behind smuggling is related to inconsistent interpretation 
of HTTP headers.

We do not believe that there is any material difference whether a weakness is 
involved in a response or a request - the mistake is the same. This is similar 
to how we don't have different CWEs for whether a buffer overflow is 
client-to-server or server-to-client.

With this in mind, we are considering broadening the scope of each of these 
CWEs to HTTP Splitting and HTTP Smuggling, i.e., removing the request/response 
distinction without introducing any additional CWEs.  However, "broadening the 
scope" is not something we commonly do to CWE entries.
We would like the community to share their thoughts on this issue.  Should 
CWE-113 (HTTP Response Splitting) and CWE-444 (HTTP Request Smuggling) be 
broadened in scope, or should we introduce new CWEs to discriminate between 
requests and responses?

Thank you,
Steve, Adam Chaudry, and Rich Piazza

Reply via email to