stackoom
  简体   繁体   中英

Fix for CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

 原文  2017-03-30 06:22:19       c#

Question

After running veracode scan, I got the CWE 113 error. I had found a solution to replace the cookie value, but still the issue is not fixed.

Fix for CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

string ReplaceHTTPRequestValue(string Value)
{
    string replacedValue = string.Empty;
    if (!string.IsNullOrEmpty(Value))
    {
        replacedValue = Value.Replace("\r", string.Empty)
                                .Replace("%0d", string.Empty)
                                .Replace("%0D", string.Empty)
                                .Replace("\n", string.Empty)
                                .Replace("%0a", string.Empty)
                                .Replace("%0A", string.Empty);
    }
    return replacedValue;
}

void WebTrends_PreRender()
{
    HttpCookie cookie = Request.Cookies["WT_CID"];
    string campaignIdVal = string.Empty;
    if (cookie != null)
    {
        campaignIdVal = ReplaceHTTPRequestValue(Request.Cookies["WT_CID"].Value);
    }
    else
    {
        campaignIdVal = string.Empty;
    }
}

How can I solve this?

2 answers

solution1
 1  2021-10-04 08:32:32

Please take a look at this link https://community.veracode.com/s/question/0D53n00007YVaMrCAL/how-to-fix-flaws-for-cwe-id-113-http-response-splitting

It is likely the reason the flaw continues to be reported is because the functions you are using are not in the list of Supported Cleansing Functions, which you can find in the Help Center here: https://help.veracode.com/go/review_cleansers . For example the supported function org.owasp.encoder.Encode.forJava() would cleanse for CWE-113, as well as CWE-117, CWE-80 and CWE-93. Please note that it is important to select the appropriate cleansing function for the context.

solution2
 0  2018-10-23 07:29:46

string ReplaceHTTPRequestValue(string Value) {
string NonCRLF = string.Empty;

        foreach (char item in Value)
        {

            NonCRLF += item.ToString().Replace("\n", "").Replace("\r","");
        }
        return NonCRLF;
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Improper Neutralization of CRLF Sequences in HTTP Headers (CWE ID 113) How to fix “Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')” Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE ID 80 HTTP Sockets: Response Headers How to resolve these errors: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID90) VeraCode Reports ServiceStack OrmLite with Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE ID 89) C# HTTP get response headers are missing Occasional response headers in C# HTTP Request How can I fix improper Neutralization of Script-Related HTML Tags in a Web Page? How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM