[英]VERACODE: CRLF Neutralization Warnings for Cookies - JAVA
recently after scanning our project we can across with Veracode warnings on CRLF neutralization.最近在扫描我们的项目后,我们可以看到关于 CRLF 中和的 Veracode 警告。 please find my error code below.请在下面找到我的错误代码。
Cookie[] c = request.getCookies();
c[i].setValue("");
c[i].setMaxAge(0);
getting the issue on below line在下面的问题上解决问题
response.addCookie(c[i]); response.addCookie(c[i]);
Solutions Tried: 1. setValue("")
tried replacing with \r or \n 2. used Encode.forJava(String)
3. Used ESAPI, but our project is running on Java 1.6.尝试过的解决方案: 1. setValue("")
尝试用 \r 或 \n 替换 2. 使用Encode.forJava(String)
3. 使用 ESAPI,但我们的项目运行在 Java 1.6。 No suitable ESAPI jar was found.找不到合适的 ESAPI jar。
Any recommendations here?这里有什么建议吗? am I missing anything?我错过了什么吗? Am I going in the wrong direction?我走错方向了吗? Can anyone help me with this?谁能帮我这个?
I don't think output encoding is the right approach here.我认为 output 编码在这里不是正确的方法。 Unless you are rendering the cookie name and/or value, the issue is not XSS, but rather HTTP Response Splitting.除非您呈现 cookie 名称和/或值,否则问题不是 XSS,而是 HTTP Response Splitting。
Strict allow-listing is the best approach, here but if find that impossible (because you are not sure what the allowed values are supposed to be, which might be the case if you were writing an HTTP library or getting values from downstream processes, etc.), then go with block-list data validation.严格的允许列表是最好的方法,但如果发现不可能(因为您不确定允许的值应该是什么,如果您正在编写 HTTP 库或从下游进程获取值等,则可能是这种情况.),然后是 go 和阻止列表数据验证。 For the block-list approach, I recommend either outright rejecting any cookie containing ':', '=', '\r', or '\n' (and log an appropriate error) and redirect the user to any appropriate error page.对于阻止列表方法,我建议直接拒绝任何包含“:”、“=”、“\r”或“\n”的 cookie(并记录适当的错误)并将用户重定向到任何适当的错误页面。 Alternately, if you detect anything in the block list, you could simply ignore those values by just silently stripping them out (although you many want to log them).或者,如果您在阻止列表中检测到任何内容,您可以通过默默地剥离它们来简单地忽略这些值(尽管您很多人想要记录它们)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.