堆栈内存溢出
  简体   繁体   English

VERACODE:Cookies - JAVA 的 CRLF 中和警告

[英]VERACODE: CRLF Neutralization Warnings for Cookies - JAVA

 原文  2022-10-03 12:09:58       java/ cookies/ encode/ veracode/ esapi

问题描述

recently after scanning our project we can across with Veracode warnings on CRLF neutralization.最近在扫描我们的项目后,我们可以看到关于 CRLF 中和的 Veracode 警告。 please find my error code below.请在下面找到我的错误代码。

Cookie[] c = request.getCookies();

c[i].setValue("");

c[i].setMaxAge(0);

getting the issue on below line在下面的问题上解决问题

response.addCookie(c[i]); response.addCookie(c[i]);

Solutions Tried: 1. setValue("") tried replacing with \r or \n 2. used Encode.forJava(String) 3. Used ESAPI, but our project is running on Java 1.6.尝试过的解决方案: 1. setValue("")尝试用 \r 或 \n 替换 2. 使用Encode.forJava(String) 3. 使用 ESAPI,但我们的项目运行在 Java 1.6。 No suitable ESAPI jar was found.找不到合适的 ESAPI jar。

Any recommendations here?这里有什么建议吗? am I missing anything?我错过了什么吗? Am I going in the wrong direction?我走错方向了吗? Can anyone help me with this?谁能帮我这个?

1 个解决方案

解决方案1
 0  2022-10-04 02:32:45

I don't think output encoding is the right approach here.我认为 output 编码在这里不是正确的方法。 Unless you are rendering the cookie name and/or value, the issue is not XSS, but rather HTTP Response Splitting.除非您呈现 cookie 名称和/或值,否则问题不是 XSS,而是 HTTP Response Splitting。

Strict allow-listing is the best approach, here but if find that impossible (because you are not sure what the allowed values are supposed to be, which might be the case if you were writing an HTTP library or getting values from downstream processes, etc.), then go with block-list data validation.严格的允许列表是最好的方法,但如果发现不可能(因为您不确定允许的值应该是什么,如果您正在编写 HTTP 库或从下游进程获取值等,则可能是这种情况.),然后是 go 和阻止列表数据验证。 For the block-list approach, I recommend either outright rejecting any cookie containing ':', '=', '\r', or '\n' (and log an appropriate error) and redirect the user to any appropriate error page.对于阻止列表方法,我建议直接拒绝任何包含“:”、“=”、“\r”或“\n”的 cookie(并记录适当的错误)并将用户重定向到任何适当的错误页面。 Alternately, if you detect anything in the block list, you could simply ignore those values by just silently stripping them out (although you many want to log them).或者,如果您在阻止列表中检测到任何内容,您可以通过默默地剥离它们来简单地忽略这些值(尽管您很多人想要记录它们)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Veracode 缺陷 CWE-93:CRLF 序列的不正确中和(“CRLF 注入”) - Veracode flaw CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') JAVA中Mailadress中CRLF序列的不正确中和(“ CRLF注入”) - Improper Neutralization of CRLF Sequences ('CRLF Injection') in Mailadress in JAVA HTTP标头中CRLF序列的不正确中和 - Improper Neutralization of CRLF Sequences in HTTP Headers CRLF序列的不正确中和(“ CRLF注入”)(CWE ID 93) - Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93) 如何修复 Veracode CWE 117(不正确的日志输出中和) - How to fix Veracode CWE 117 (Improper Output Neutralization for Logs) 安全漏洞-veracode报告-crlf注入 - security flaw - veracode report - crlf injection 仅使用 replaceAll(“\\r”, “_”).replaceAll(“\\n”, “_”) 通过 Veracode CWE 117(不正确的日志输出中和) - Pass Veracode CWE 117 (Improper Output Neutralization for Logs) only with replaceAll(“\r”, “_”).replaceAll(“\n”, “_”) Veracode-网页中与脚本相关的HTML标记的不正确中和(基本XSS) - Veracode - Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS) CRLF转换成java字符串 - CRLF into java string 在 Veracode 中使用 slf4j LOGGER 时的 CRLF 注入漏洞(CWE 117) - CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM