[Esapi-user] [Esapi-dev] Response Splitting

Jim Manico jim.manico at owasp.org
Sun Jan 30 13:40:43 EST 2011

I added an issue to the google code tracker for this feature suggestion.


> I think we need a better strategy for response splitting defense.
>> Right now, the only advice we give is to use the Request/Response
>> wrappers, a defense that is not practical for all shops.
>> I think we need 2 approaches:
>> 1) Input Validation function that specifically strips linefeed line
>> control characters after cannonicalization
>> 2) Header Encoder that renders linefeed control characters innert (the
>> best defense is always at the usage boundary)
>> Thoughts?

More information about the Esapi-user mailing list