Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') [VID:113:org/owasp/webgoat/session/WebSession.java:297]

[github-actions]

Filename: org/owasp/webgoat/session/WebSession.java

Line: 297

CWE: 113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'))

This call to javax.servlet.http.HttpServletResponse.addCookie() contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, to inject additional headers or an entire response body into the response stream. Injecting headers can be used to trick various security mechanisms in browsers into allowing XSS style attacks. Injecting entire response bodies can not only cause XSS attacks to succeed but may even poison the cache of any intermediary proxies between the clients and the application server. The first argument to addCookie() contains tainted data from the variable cookies. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getCookies. Escape, encode, or remove carriage return and line feed characters from untrusted data before inclusion in HTTP response headers. Whenever possible, use a security library such as ESAPI that provides safe versions of addHeader(), etc. that will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP WASC Supported Cleansers