[OWASP-ESAPI] ESAPI - HTTP Response Splitting

Jim Manico jim.manico at owasp.org
Wed Mar 25 05:16:33 EDT 2009

Please note that the next version of the Java servlet standard will force servlet engine implementors to have this kind of protection baked in. (go Jeff)

- Jim
  ----- Original Message ----- 
  From: Jeff Williams 
  To: 'Khash Kiani' ; owasp-esapi at lists.owasp.org 
  Sent: Tuesday, March 24, 2009 5:42 PM
  Subject: Re: [OWASP-ESAPI] ESAPI - HTTP Response Splitting

  Hi Khash,


  The SafeRequest and SafeResponse classes have full support for header validation.  Use a simple filter to wrap the request and response with these classes.  As pointed out in the previous message, we need to make these classes implement the HttpRequestWrapper and HttpResponseWrapper interfaces.







  From: Khash Kiani [mailto:khash.kiani at gmail.com] 
  Sent: Tuesday, March 24, 2009 7:29 PM
  To: jeff.williams at owasp.org
  Subject: ESAPI - HTTP Response Splitting


  Hi Jeff,
  I've been using some the great utilities that come with the ESAPI APIs. However, I can't fine anything for filtering out CR and LF as an interim solution against HTTP Response Splitting until we have proper white-list input validation in place for HTTP headers. Are there any ESAPI utilities specifically for this purpose?



  OWASP-ESAPI mailing list
  OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090324/a5c8bbf6/attachment.html 

More information about the OWASP-ESAPI mailing list