How to fix VeraCode Improper Output Neutralization for Logs

Description A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks. Recommendations Avoid directly embedding user input in log files when possible. Sanitize user-supplied data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and...
Read More

How to fix VeraCode Improper Neutralization of CRLF Sequences in HTTP Headers

Description A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks. Recommendations Remove unexpected carriage returns and line feeds from user-supplied data used to construct an HTTP response. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. For More detail...
Read More

How to fix VeraCode Improper Neutralization of CRLF Sequences Injection

Description A function call contains a CRLF Injection flaw. Writing unsanitized user-supplied input to an interface or external application that treats the CRLF (carriage return line feed) sequence as a delimiter to separate lines or records can result in that data being misinterpreted. FTP and SMTP are examples of protocols that treat CRLF as a delimiter when parsing commands. Recommendations Sanitize CRLF sequences from user-supplied input when the data is being passed to an entity that may incorrectly interpret it. For More detail - CWE-93:...
Read More

How to fix VeraCode URL Redirection to Untrusted Site Open Redirect

Description A web application accepts a user-controlled input that specifies a link to an external site, and uses that link to generate a redirect. Recommendations Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting. For More detail - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Issue Code url = "/myapp/"+reqNo+"/view"; ((HttpServletResponse)response).sendRedirect(url); Fixed...
Read More

Subscribe to: Posts (Atom)