Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5167

HTTP response headers should not be vulnerable to injection attacks

    Details

    • Message:
      Refactor this code to not place tainted, user-controlled data in the header.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-79,CWE-113
    • OWASP:
      A7
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to inject characters that would be interpreted as a new line in some browsers. This could, for example, enable Cross-Site Scripting (XSS) attacks.

      Most modern web application frameworks and servers mitigate this type of attack by default, but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist.

      See

        Attachments

        1.
        Java RSPEC-5168 Language-Specification Active Unassigned
        2.
        C# RSPEC-5169 Language-Specification Active Unassigned
        3.
        PHP RSPEC-5170 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: