Description
A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.
Recommendations
Remove unexpected carriage returns and line feeds from user-supplied data used to construct an HTTP response. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
For More detail - CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Issue Code
|  | 
Fixed Code
|  | 
Explanation
Above Example setting header value directly to response object.But HTTP header allows an attacker to manipulate the HTTP response rendered by the browser and it will vulnerability / Untrusted. By using setHeader and addHeader function which is present in DefaultHTTPUtilities by ESAPI will avoid such an attack.




 
 
Easy to understand.
ReplyDeleteReally its great to see this kind of useful blog. Thanks for sharing this blog with us.
ReplyDeleteIf you are running any Laundry business then launching an On-demand Laundry App Development is very beneficial for you. How much does it cost to develop an On-Demand Laundry App Development? Want to know then Contact Us.