How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"
Solution 1
The easiest way to remove this issue is to use ESAPI httputilities present in esapi jar. You can use
ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);
and similar methods for other tasks. You will need to have ESAPI.properrties set in you classpath. This is the way we implemented for Java. Same features are available for other languages too.
No additional work is required and it will solve the issue in veracode.
Solution 2
I believe the problem is because the line
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);
accepts (untrusted) user input (i.e. Request.QueryString["l"]
).
Try adding a function call to remove any carriage returns or line feed characters (including their encoded equivalents like %0d
and %0a
) from that query string parameter before storing it in languageCookie
.
For example, you might try changing that line to:
languageCookie.Value = Server.UrlDecode(Request.QueryString["l"])
.Replace("\r", string.Empty)
.Replace("%0d", string.Empty)
.Replace("%0D", string.Empty)
.Replace("\n", string.Empty)
.Replace("%0a", string.Empty)
.Replace("%0A", string.Empty);
though that should probably be cleaned up a bit (I'm not a C# programmer at this time).
See also
- http://en.wikipedia.org/wiki/HTTP_response_splitting
- http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
- https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)
Solution 3
It looks like a false positive as ASP.Net will automatically check the response headers and encode CRLF characters when the configuration option EnableHeaderChecking is true (the default value).This is available since version 2.0 of the .Net framework and will also protect the response header against CRLF chars present in the cookie name.
References:
I understand that the scanner cannot trust that the server settings will be correct so I went and did a few tests with a function that replaces any CRLF chars from the string used in the cookie name, but Veracode simply won't accept it.
It seems like the scanner will only accept sanitization code from a pre-defined list of utilities. I did quite a few tests with URLEncode (which will encode the CRLF chars) from a few of the approved utilities but yet no luck.
References:
https://community.veracode.com/s/question/0D53400004DJusECAT/how-to-fix-crlf-http-response-splitting-in-java (though this answer refers to java it includes the link to the list of approved sanitizers, including C#)
https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/IiF_rOE79ANbwnZwreSPGA
piterskiy
Updated on May 25, 2020Comments
-
piterskiy about 4 years
After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment:
protected override void InitializeCulture() { //If true then setup the ability to have a different culture loaded if (AppSettings.SelectLanguageVisibility) { //Create cookie variable and check to see if that cookie exists and set it if it does. HttpCookie languageCookie = new HttpCookie("LanguageCookie"); if (Request.Cookies["LanguageCookie"] != null) languageCookie = Request.Cookies["LanguageCookie"]; //Check to see if the user is changing the language using a query string. if (Server.UrlDecode(Request.QueryString["l"]) != null) languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]); //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't. if (languageCookie.Value == null) languageCookie.Value = string.Empty; string culture = languageCookie.Value.ToString(); if (string.IsNullOrEmpty(culture)) culture = "Auto"; //Use to set the Culture and UI Culture. this.UICulture = culture; this.Culture = culture; if (culture != "Auto") { //If culture is changed set the new Current Culture and CurrentUICulture. System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture); System.Threading.Thread.CurrentThread.CurrentCulture = ci; System.Threading.Thread.CurrentThread.CurrentUICulture = ci; } //Update the cookie value with the new culture and initialize the culture. Response.Cookies.Set(languageCookie); Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1); Response.Cookies["LanguageCookie"].HttpOnly = true; } else { //Else keep language as English if localization is not enabled. this.UICulture = "en"; this.Culture = "en"; } base.InitializeCulture(); }
The report points to the line containing following code:Response.Cookies.Set(languageCookie); What fix can be used to eliminate that error?
Thank's
-
scott.korin over 8 yearsWhat is the DefaultHTTPUtilities object? What library is it in? Is it a third party object? Open Source?
-
RG-3 over 6 yearsthis is java. C# doesnt use ESAPI.
-
devwebcl about 6 yearsYes, it is Java, maybe we need to do a spin-off here. Anyway the current signature for addCookie is : ESAPI.httpUtilities().addCookie(response, cookie);
-
Ron almost 6 yearsThere is a problem here, the length of headerKey in both setHeader and addHeader are limited by hard-coded, setHeader is 50, addHeader is 20.But I want to add a header which length exceeds 20..., it always fails. Even I override addHeader, the response.addHeader will trigger the veracode issue as well...Any idea?
-
jacobq over 5 yearsThis "answer" looks like it was copied and pasted from VeraCode's documentation for this scanner rule. What new information are you contributing here?
-
Tarun over 4 years@devwebcl: I am up for spin off library for .NET :)
-
Panneerselvam over 3 yearsPlease find the latest methods available in ESAPI.jar for Java;1. addCookie(Cookie cookie) 2. addCookie(HttpServletResponse response, Cookie cookie)