All, In the 3.6 release of CAPEC last fall, we revamped the four CAPECs related to HTTP Splitting and Smuggling after exploring the issues behind those attack patterns. The attack patterns involved are: HTTP Request Splitting - CAPEC-105, HTTP Response Splitting - CAPEC-34, HTTP Request Smuggling - CAPEC-33 and HTTP Response Smuggling - CAPEC-273. For more detail on the changes we made, see https://medium.com/@CWE_CAPEC/http-desync-the-redux-and-evolution-of-http-smuggling-and-splitting-attack-techniques-a698c265c9a1. For the upcoming CWE 4.8 release on June 28, we are planning the revamp of CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') and CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling'). As you can see, we do not have coverage for "Request Splitting" or for "Response Smuggling." The underlying weakness behind splitting is improper neutralization of CR/LF characters, and the underlying weakness behind smuggling is related to inconsistent interpretation of HTTP headers.
We do not believe that there is any material difference whether a weakness is involved in a response or a request - the mistake is the same. This is similar to how we don't have different CWEs for whether a buffer overflow is client-to-server or server-to-client. With this in mind, we are considering broadening the scope of each of these CWEs to HTTP Splitting and HTTP Smuggling, i.e., removing the request/response distinction without introducing any additional CWEs. However, "broadening the scope" is not something we commonly do to CWE entries. We would like the community to share their thoughts on this issue. Should CWE-113 (HTTP Response Splitting) and CWE-444 (HTTP Request Smuggling) be broadened in scope, or should we introduce new CWEs to discriminate between requests and responses? Thank you, Steve, Adam Chaudry, and Rich Piazza CWE/CAPEC Team
