CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
The Ktor Coroutine based I/O Server implementation io.ktor.client.engine.cio.CIO is vulnerable to HTTP Response Splitting.
Fixed Version
This vulnerability is fixed in Ktor version 1.2.6.
POC
The POC below shows a simple server that takes a user provided value and reflects that value back in a custom header. This POC demonstrates how an attacker could abuse this to supply their own response thus enabling a variety of other attack vectors, in this case allowing the attacker to perform XSS and leak potentially sensitive header values.
How could this be abused
If a user of the Ktor library is taking some user-provided input and that input is inserted into a header value, that can be abused to facilitate this attack.
Other Impacted Locations
It's also possible to abuse this vulnerability if accepting untrusted user data for the call.respondRedirect method.
Implications
See the CWE linked above for a more detailed explainations of these:
- Cross-User Defacement
- Cache Poisoning
- Cross-Site Scripting (XSS)
- Page Hijacking