[OWASP-ESAPI] ESAPI - HTTP Response Splitting

Jim Manico jim.manico at owasp.org
Wed Mar 25 05:16:33 EDT 2009


Please note that the next version of the Java servlet standard will force servlet engine implementors to have this kind of protection baked in. (go Jeff)

- Jim
  ----- Original Message ----- 
  From: Jeff Williams 
  To: 'Khash Kiani' ; owasp-esapi at lists.owasp.org 
  Sent: Tuesday, March 24, 2009 5:42 PM
  Subject: Re: [OWASP-ESAPI] ESAPI - HTTP Response Splitting


  Hi Khash,

   

  The SafeRequest and SafeResponse classes have full support for header validation.  Use a simple filter to wrap the request and response with these classes.  As pointed out in the previous message, we need to make these classes implement the HttpRequestWrapper and HttpResponseWrapper interfaces.

   

  Thanks!

   

  --Jeff

   

   

  From: Khash Kiani [mailto:khash.kiani at gmail.com] 
  Sent: Tuesday, March 24, 2009 7:29 PM
  To: jeff.williams at owasp.org
  Subject: ESAPI - HTTP Response Splitting

   

  Hi Jeff,
  I've been using some the great utilities that come with the ESAPI APIs. However, I can't fine anything for filtering out CR and LF as an interim solution against HTTP Response Splitting until we have proper white-list input validation in place for HTTP headers. Are there any ESAPI utilities specifically for this purpose?

  Thx.
  Khash 



------------------------------------------------------------------------------


  _______________________________________________
  OWASP-ESAPI mailing list
  OWASP-ESAPI at lists.owasp.org
  https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/a5c8bbf6/attachment.html 


More information about the OWASP-ESAPI mailing list