[Esapi-user] [Esapi-dev] Response Splitting

Jim Manico jim.manico at owasp.org
Sun Jan 30 13:40:43 EST 2011


I added an issue to the google code tracker for this feature suggestion.

http://code.google.com/p/owasp-esapi-java/issues/detail?id=201

> I think we need a better strategy for response splitting defense.
>>
>> Right now, the only advice we give is to use the Request/Response
>> wrappers, a defense that is not practical for all shops.
>>
>> I think we need 2 approaches:
>>
>> 1) Input Validation function that specifically strips linefeed line
>> control characters after cannonicalization
>> 2) Header Encoder that renders linefeed control characters innert (the
>> best defense is always at the usage boundary)
>>
>> Thoughts?



More information about the Esapi-user mailing list