Improper Neutralization of CRLF Sequences in HTTP Headers

Question

I ran Veracode scan on my project and it gave me CWE ID 113 issue under HTTP response splitting. I tried to resolve the issue with there recommendations but it did not work. e.g.

try
    {
        String selNhid = req.getParameter("selNhid");
        String redirectURL = "/nhwhoods?action=membersNH&selNhid="+selNhid;
         res.sendRedirect(req.getContextPath() + redirectURL);
    }
    catch (Exception e)
    {
        e.printStackTrace();
    }

above code is from one of the file. And report showing error at line

res.sendRedirect(req.getContextPath() + redirectURL);

Any suggestions, how to resolve the issue ?

what was it that you tried that didn't work? – eis May 07 '19 at 15:59 — eis, May 07 '19 at 15:59

devwebcl · Answer 1 · 2019-06-05T14:38:43.217

0

This can be fixed using ESAPI 2.1.0.1 library with:

import org.owasp.esapi.ESAPI;

ESAPI.httpUtilities().setHeader(response, param, value);
ESAPI.httpUtilities().addCookie(response, cookie);

edited Jun 05 '19 at 14:38

answered May 07 '19 at 15:57

devwebcl

2,866
3
27
46

score 0 · Answer 2 · answered May 07 '19 at 16:00

0

how about just removing CRLF sequences from redirectURL parameter, like the error message suggests?

A simple .replaceAll("[\\r\\n]+", "") should do it.

answered May 07 '19 at 16:00

eis

51,991
13
150
199

score 0 · Answer 3 · answered Jun 05 '19 at 14:46

There is a missing URL encoding for the selNhid.

String redirectURL = "/nhwhoods?action=membersNH&selNhid="
        + URLEncoder.encode(selNhid, StandardCharsets.UTF_8);

The above assumes you are working with UTF-8. Now nasty content will be disarmed as %XX bytes.

Improper Neutralization of CRLF Sequences in HTTP Headers

3 Answers3

Linked