[Esapi-user] Response Splitting

Jim Manico jim.manico at owasp.org
Mon Jan 24 10:35:02 EST 2011


I think we need a better strategy for response splitting defense.

Right now, the only advice we give is to use the Request/Response
wrappers, a defense that is not practical for all shops.

I think we need 2 approaches:

1) Input Validation function that specifically strips linefeed line
control characters after cannonicalization
2) Header Encoder that renders linefeed control characters innert (the
best defense is always at the usage boundary)

Thoughts?

- Jim


More information about the Esapi-user mailing list