0

I used VeraCode to validate my code, in the validation, I found a vulnerability type CRLF Injection, because, I used some cookies. I tried to solve, with the tag httpOnlyCookies=true in web.config file, or with CookieName.HttpOnly = true in C# code behind, but It is not passing the validation in VeraCode. Do you have any idea?

This is my code, I declared the cookie in a superclass UserInfo.cs:

private HttpCookie httpCookie = null;

public UserInfo()
{
    if (this.httpCookie == null)
    {
        this.httpCookie = this.Context.Request.Cookies["ExampleCookie"];
    }

    if (this.httpCookie == null)
    {
        this.httpCookie = new HttpCookie("ExampleCookie");
        this.httpCookie.HttpOnly = true; //I tried with this too
        this.Context.Response.Cookies.Set(this.httpCookie);
    }
}

static public UserInfo GetCurrent
{
    get
    {
        return new UserInfo();
    }
}

public string UserName
{
    set
    {
        this.httpCookie.Values["UserName"] = value.ToString();
        this.Context.Response.SetCookie(this.httpCookie);
    }
    get
    {
        return this.httpCookie["UserName"] == null ? string.Empty : this.httpCookie["UserName"].ToString();
    }
}

web.config:

<system.web>
<httpCookies httpOnlyCookies="true" />
hassan.ef
  • 1,300
  • 2
  • 11
  • 19
Turoel
  • 1
  • 1
  • HttpCookie.HttpOnly gets or sets a value that specifies whether a cookie is accessible by client-side script. A CRLF injection issue refers to inserting a malicious [CRLF sequence](https://www.owasp.org/index.php/CRLF_Injection). These are two different things and why setting the HttpOnly property is not helping you. – Clay Ver Valen Jun 04 '19 at 17:11
  • You need to scrub your cookie data to ensure it doesn't have any CRLF sequences (e.g., in the `UserName` setter, `this.httpCookie.Values["UserName"] = value.Replace("\r\n", "");`. [BTW, `value` is a `string`, so there is no need for `.ToString()`.] – Heretic Monkey Jun 04 '19 at 17:20
  • @HereticMonkey If I add the tag enableHeaderChecking="false" in web.config, will it also work? – Turoel Jun 04 '19 at 17:40
  • Unlikely. Veracode will probably then complain about that. You should concentrate on fixing the underlying vulnerability rather than how to get around it. – Heretic Monkey Jun 04 '19 at 17:41

0 Answers0