esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard
verified publisher icon ESAPI

Build an encoding function specific to HTTP/Response Splitting (tactical remediation)

Open meg23 opened this issue 11 years ago • 3 comments

From [email protected] on January 30, 2011 13:40:05

I think we need a better strategy for response splitting defense.

Right now, the only advice we give is to use the Request/Response wrappers, a defense that is not practical for all shops.

I think we need 2 approaches:

  1. Input Validation function that specifically strips linefeed line control characters after cannonicalization
  2. Header Encoder that renders linefeed control characters innert (the best defense is always at the usage boundary)

Thoughts?

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=201

meg23 avatar Nov 13 '14 18:11 meg23

@xeno6696 Weird that we had a duplicate 209 and 210. Too much caffeine that day for Manico? :)

Note that we should automatically do this cleansing to prevent HTTP Response Splitting for any cookies or other HTTP response headers that ESAPI may create. May require a code inspection to find all the cases.

kwwall avatar Jul 20 '17 03:07 kwwall

To satisfy the first item:

  1. Input Validation function that specifically strips linefeed line control characters after canonicalization

One can simply use the stripControls() static method from the org.owasp.esapi.StringUtilities class. Based on that, it is relatively easy to create the second item. But this is largely what SecurityWrapper already does.

kwwall avatar Jul 07 '19 03:07 kwwall

Reset the priority from Medium to Low since there is already a way to accomplish this via StringUtilities.stripControls(). Plus it is open source with a liberal new BSD license. Pull out the code from SecurityWrapper to do only what you want it to do.

kwwall avatar Jul 07 '19 03:07 kwwall