[OWASP-ESAPI] ESAPI - HTTP Response Splitting

Jeff Williams jeff.williams at owasp.org
Tue Mar 24 23:42:10 EDT 2009


Hi Khash,

 

The SafeRequest and SafeResponse classes have full support for header
validation.  Use a simple filter to wrap the request and response with these
classes.  As pointed out in the previous message, we need to make these
classes implement the HttpRequestWrapper and HttpResponseWrapper interfaces.

 

Thanks!

 

--Jeff

 

 

From: Khash Kiani [mailto:khash.kiani at gmail.com] 
Sent: Tuesday, March 24, 2009 7:29 PM
To: jeff.williams at owasp.org
Subject: ESAPI - HTTP Response Splitting

 

Hi Jeff,
I've been using some the great utilities that come with the ESAPI APIs.
However, I can't fine anything for filtering out CR and LF as an interim
solution against HTTP Response Splitting until we have proper white-list
input validation in place for HTTP headers. Are there any ESAPI utilities
specifically for this purpose?

Thx.
Khash 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/45fa1e18/attachment.html 


More information about the OWASP-ESAPI mailing list