Unsanitized user input in HTTP response (XSS)
- Rule ID: java_lang_http_response_splitting
- Languages: java
- Source: http_response_splitting.yml
Description
Including unsanitized user input in a HTTP response could allow an attacker inject Carriage Return Line Feed (CRLF) characters into the response. An entirely attacker-controlled response can then be returned, creating a cross-site scripting (XSS) vulnerability.
Remediations
- Do not include user input in cookies or other HTTP headers without proper sanitization. This can prevent attackers from exploiting the input to manipulate the response.
- Do remove CRLF sequences from user input to mitigate the risk of response splitting and XSS attacks. Use the following code snippet as a reference for sanitizing input in Java:
var input = request.getParameter("data");
var sanitized = input.replaceAll("\r\n", "");
cookie.setValue(sanitized);
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=java_lang_http_response_splitting
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=java_lang_http_response_splitting