Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') [VID:113:com/veracode/verademo/controller/UserController.java:631]

[github-actions[bot]]

https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/blob/2add22ec1b5a85a51e5134a9af33bf2e99488d44/com/veracode/verademo/controller/UserController.java#L626-L636

Filename: com/veracode/verademo/controller/UserController.java

Line: 631

CWE: 113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'))

This call to javax.servlet.http.HttpServletResponse.addCookie() contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, to inject additional headers or an entire response body into the response stream. Injecting headers can be used to trick various security mechanisms in browsers into allowing XSS style attacks. Injecting entire response bodies can not only cause XSS attacks to succeed but may even poison the cache of any intermediary proxies between the clients and the application server. The first argument to addCookie() contains tainted data from the variable cookie. The tainted data originated from earlier calls to javax.servlet.http.HttpServletRequest.getCookies, and AnnotationVirtualController.vc_annotation_entry. Escape, encode, or remove carriage return and line feed characters from untrusted data before inclusion in HTTP response headers. Whenever possible, use a security library such as ESAPI that provides safe versions of addHeader(), etc. that will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

[github-actions[bot]]

Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/pull/7

[github-actions[bot]]

Veracode issue link to PR: https://github.com/gwhittemore-veracode/Veracode-GW-Training-demo/pull/174