Unsanitized user input in HTTP response (XSS)

Overview

• Rule ID: java_lang_http_response_splitting

• Applicable Languages: Java

• Weakness ID: CWE-79

Description

Including unsanitized user input in a HTTP response could allow an attacker inject Carriage Return Line Feed (CRLF) characters into the response. An entirely attacker-controlled response can then be returned, creating a cross-site scripting (XSS) vulnerability.

Remediation Guidelines

• Avoid incorporating user input into cookies or other HTTP headers without appropriate sanitization to prevent attackers from exploiting the input to manipulate the response.

  Copy

  // Avoid this approach
  System.out.println(e); // Unsafe
  

• To mitigate the risk of response splitting and XSS attacks, ensure to remove CRLF sequences from user input. You can use the following code snippet as a reference for sanitizing input in Java:

  Copy

  var input = request.getParameter("data");
  var sanitized = input.replaceAll("\r\n", "");
  cookie.setValue(sanitized);

References

• CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• OWASP Top 10: A03:2021 - Injection

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL