Checking response header in java

Question

Checking response header in java

I pass directly the user parameter in my response header. What I found out is not a good idea, as the user can manipulate the header, and this can lead to Cross Site script attacks and other types of multiple attacks.

https://www.fortify.com/vulncat/en/vulncat/python/header_manipulation.html

What I am doing to prevent this is checking the user input for "splitting the HTTP response", replacing the characters "\ r" and "\ n" with the empty string "". Is this enough, or should I check other characters. Any pointers would be very helpful.

This is my code.

if(response != null)
  {
   newResponse = response.replaceAll("[\r\n]", "");
  }

This is enough to prevent this type of attack, or I should also check other characters.

+3

java split security http response

Muneeb Ahmad Apr 24 '12 at 7:48

source share

2 answers

The information you give is not enough to answer correctly. We need to know what you are doing with the parameter value to determine if your actions are sufficient or not, and what is the environment in which your code works. A short, 100% correct (but rather useless) answer will be no.

, , . Python Java. , . .

0

Torben 24 . '12 8:11

artbristol · Accepted Answer · 2012-04-24T08:12:58+0000

Whitelisting is much safer than blacklisting. Whether whitelisting is possible depends on how much you know about the user parameter.

More details here:

http://cwe.mitre.org/data/definitions/113.html

Checking response header in java

More articles: