Build an encoding function specific to HTTP/Response Splitting (tactical remediation)

[meg23]

From manico.james@gmail.com on January 30, 2011 13:40:05

I think we need a better strategy for response splitting defense.

Right now, the only advice we give is to use the Request/Response wrappers, a defense that is not practical for all shops.

I think we need 2 approaches:

1) Input Validation function that specifically strips linefeed line control characters after cannonicalization 2) Header Encoder that renders linefeed control characters innert (the best defense is always at the usage boundary)

Thoughts?

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=201

[kwwall]

@xeno6696 Weird that we had a duplicate 209 and 210. Too much caffeine that day for Manico? :)

Note that we should automatically do this cleansing to prevent HTTP Response Splitting for any cookies or other HTTP response headers that ESAPI may create. May require a code inspection to find all the cases.

[kwwall]

To satisfy the first item:

1. Input Validation function that specifically strips linefeed line control characters after canonicalization

One can simply use the stripControls() static method from the org.owasp.esapi.StringUtilities class. Based on that, it is relatively easy to create the second item. But this is largely what SecurityWrapper already does.

[kwwall]

Reset the priority from Medium to Low since there is already a way to accomplish this via StringUtilities.stripControls(). Plus it is open source with a liberal new BSD license. Pull out the code from SecurityWrapper to do only what you want it to do.