[OWASP-ESAPI] ESAPI - HTTP Response Splitting

Jeff Williams jeff.williams at owasp.org
Tue Mar 24 23:42:10 EDT 2009

Hi Khash,


The SafeRequest and SafeResponse classes have full support for header
validation.  Use a simple filter to wrap the request and response with these
classes.  As pointed out in the previous message, we need to make these
classes implement the HttpRequestWrapper and HttpResponseWrapper interfaces.







From: Khash Kiani [mailto:khash.kiani at gmail.com] 
Sent: Tuesday, March 24, 2009 7:29 PM
To: jeff.williams at owasp.org
Subject: ESAPI - HTTP Response Splitting


Hi Jeff,
I've been using some the great utilities that come with the ESAPI APIs.
However, I can't fine anything for filtering out CR and LF as an interim
solution against HTTP Response Splitting until we have proper white-list
input validation in place for HTTP headers. Are there any ESAPI utilities
specifically for this purpose?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/45fa1e18/attachment.html 

More information about the OWASP-ESAPI mailing list