问题
I ran Veracode scan on my project and it gave me CWE ID 113 issue under HTTP response splitting. I tried to resolve the issue with there recommendations but it did not work. e.g.
try
{
String selNhid = req.getParameter("selNhid");
String redirectURL = "/nhwhoods?action=membersNH&selNhid="+selNhid;
res.sendRedirect(req.getContextPath() + redirectURL);
}
catch (Exception e)
{
e.printStackTrace();
}
above code is from one of the file. And report showing error at line
res.sendRedirect(req.getContextPath() + redirectURL);
Any suggestions, how to resolve the issue ?
回答1:
how about just removing CRLF sequences from redirectURL parameter, like the error message suggests?
A simple .replaceAll("[\\r\\n]+", "") should do it.
回答2:
This can be fixed using ESAPI 2.1.0.1 library with:
import org.owasp.esapi.ESAPI;
ESAPI.httpUtilities().setHeader(response, param, value);
ESAPI.httpUtilities().addCookie(response, cookie);
回答3:
There is a missing URL encoding for the selNhid.
String redirectURL = "/nhwhoods?action=membersNH&selNhid="
+ URLEncoder.encode(selNhid, StandardCharsets.UTF_8);
The above assumes you are working with UTF-8. Now nasty content will be disarmed as %XX bytes.
来源:https://stackoverflow.com/questions/55705862/improper-neutralization-of-crlf-sequences-in-http-headers