Description
A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.
Recommendations
Avoid directly embedding user input in log files when possible. Sanitize user-supplied data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be onfigured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
For More detail - CWE-117: Improper Output Neutralization for Logs
Issue Code
strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message;
LOGGER.info(strMessage);
|
Fixed Code
strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message;
LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage));
|
Explanation
Above Example Log information will come from anywhere in the application can contain CRLF.By using encodeForHTML method to Encode the user data for use in HTML using HTML entity encoding.
Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F cannot be used in HTML.
Description
A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.
Recommendations
Remove unexpected carriage returns and line feeds from user-supplied data used to construct an HTTP response. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
For More detail - CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Issue Code
|
response.setHeader(headerKey,headerValue);
response.addHeader(headerKey, headerValue);
|
Fixed Code
|
DefaultHTTPUtilities httpUtilities = new DefaultHTTPUtilities();
httpUtilities.setHeader(headerKey,headerValue);
httpUtilities.addHeader(response, headerKey,headerValue);
|
Explanation
Above Example setting header value directly to response object.But HTTP header allows an attacker to manipulate the HTTP response rendered by the browser and it will vulnerability / Untrusted.
By using setHeader and addHeader function which is present in DefaultHTTPUtilities by ESAPI will avoid such an attack.
Description
A function call contains a CRLF Injection flaw. Writing unsanitized user-supplied input to an interface or external application that treats the CRLF (carriage return line feed) sequence as a delimiter to separate lines or records can result in that data being misinterpreted. FTP and SMTP are examples of protocols that treat CRLF as a delimiter when parsing commands.
Recommendations
Sanitize CRLF sequences from user-supplied input when the data is being passed to an entity that may incorrectly interpret it.
For More detail -
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Issue Code
message.setFrom(new InternetAddress(validSenderStr.toString());
|
Fixed Code
message.setFrom(new InternetAddress
(ESAPI.encoder().encodeForHTML(validSenderStr.toString()));
|
Explanation
Above Example "validSenderStr" is input from anywhere in the application can contain CRLF.By using encodeForHTML method to Encode the user data for use in HTML using HTML entity encoding.
Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F cannot be used in HTML.
Description
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link to generate
a redirect.
Recommendations
Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.
For More detail - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Issue Code
url = "/myapp/"+reqNo+"/view";
((HttpServletResponse)response).sendRedirect(url);
|
Fixed Code
DefaultHTTPUtilities utilities=new DefaultHTTPUtilities();
url = "/myapp/"+reqNo+"/view";
utilities.sendRedirect(url);
|
Explanation
Above Example "reqNo" value which is present in URL is used to redirect the request.But that value can be anything.So it will let redirect vulnerability.
By using ESAPI to avoid such a vulnerability.
|
