Unsanitized user input in HTTP response (XSS)

Description

Including unsanitized user input in a HTTP response could allow an attacker inject Carriage Return Line Feed (CRLF) characters into the response. An entirely attacker-controlled response can then be returned, creating a cross-site scripting (XSS) vulnerability.

Remediations

  • Do not include user input in cookies or other HTTP headers without proper sanitization. This can prevent attackers from exploiting the input to manipulate the response.
  • Do remove CRLF sequences from user input to mitigate the risk of response splitting and XSS attacks. Use the following code snippet as a reference for sanitizing input in Java:
    var input = request.getParameter("data");
    var sanitized = input.replaceAll("\r\n", "");
    cookie.setValue(sanitized);

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_http_response_splitting

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_http_response_splitting