Description
A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.
Recommendations
Avoid directly embedding user input in log files when possible. Sanitize user-supplied data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be onfigured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
For More detail - CWE-117: Improper Output Neutralization for Logs
Issue Code
strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(strMessage); |
Fixed Code
strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage)); |
Explanation
Above Example Log information will come from anywhere in the application can contain CRLF.By using encodeForHTML method to Encode the user data for use in HTML using HTML entity encoding.
Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F cannot be used in HTML.
Great post.
ReplyDeletehttps://forums.uvdesk.com/user/johnbrunson
Nice post By reading your blog, I get inspired and this provides some useful information.
ReplyDeleteDo you have any Game Ideas for Unity? We have an expert team of people who work on a unity platform and we have experienced as we have worked on various unity game projects. contact us.