demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Build an encoding function specific to HTTP/Response Splitting (tactical remediation) #201

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I think we need a better strategy for response splitting defense.
>
> Right now, the only advice we give is to use the Request/Response
> wrappers, a defense that is not practical for all shops.
>
> I think we need 2 approaches:
>
> 1) Input Validation function that specifically strips linefeed line
> control characters after cannonicalization
> 2) Header Encoder that renders linefeed control characters innert (the
> best defense is always at the usage boundary)
>
> Thoughts?

Original issue reported on code.google.com by manico.james@gmail.com on 30 Jan 2011 at 6:40