[Esapi-user] Response Splitting

Jim Manico jim.manico at owasp.org
Mon Jan 24 10:35:02 EST 2011

I think we need a better strategy for response splitting defense.

Right now, the only advice we give is to use the Request/Response
wrappers, a defense that is not practical for all shops.

I think we need 2 approaches:

1) Input Validation function that specifically strips linefeed line
control characters after cannonicalization
2) Header Encoder that renders linefeed control characters innert (the
best defense is always at the usage boundary)


- Jim

More information about the Esapi-user mailing list