5

I have gone through this link. [How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

But it does not give me the solution.

My code is also giving the error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') CWE ID 113".

My code snippet is::

Cookie newloginCookie = new Cookie("CMCLoginCookie", userName + ":" + password);
                                newloginCookie.setMaxAge(24 * 60 * 60 * 1000);
                                response.addCookie(newloginCookie);

In veracode scan the error is giving for the last line. Not sure what to do for it.

Community
  • 1
  • 1
koushik
  • 99
  • 1
  • 9
  • Look at this related question. It had the fix for me. [CWE ID 113 Improper Neutralization of CRLF Sequences in HTTP Headers](https://stackoverflow.com/questions/31117558/improper-neutralization-of-crlf-sequences-in-http-headers-http-response-splitt/55864028#55864028) – Bindum May 23 '19 at 15:10

2 Answers2

2

By using ESAPI you can fix maximum CWE issue.

Basically the above issue is need to remove the \r\n value from user input by using regular expression or DefaultHTTPUtilities.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Baskar Madasamy
  • 121
  • 1
  • 2
  • 5
1

Once you get the username and password try stripping them of all "\r" and "\n" characters. Using something like Apache StringUtils, this would be something like this:

String safeUserName = StringUtils.replaceEach(userName, new String[] {"\n", "\r"}, new String[] {"", ""});
String safePassword = StringUtils.replaceEach(password, new String[] {"\n", "\r"}, new String[] {"", ""});

Then create your cookie using the safe strings.

user1233043
  • 126
  • 7