Skip to content

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') [VID:113:github.com/govwa/util/cookie.go:38] #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
veracode-workflow-app bot opened this issue Mar 3, 2025 · 0 comments
Open

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') [VID:113:github.com/govwa/util/cookie.go:38] #9

veracode-workflow-app bot opened this issue Mar 3, 2025 · 0 comments
Labels
Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity

Comments

@veracode-workflow-app
Copy link

govwa//util/cookie.go

Lines 33 to 43 in 06b43e3

//Path : "/",
//Domain : "localhost",
Name: name,
Value: value,
}
http.SetCookie(w, &cookie)
}
func GetCookie(r *http.Request, name string)string{
cookie, _ := r.Cookie(name)
return cookie.Value

Filename: github.com/govwa/util/cookie.go

Line: 38

CWE: 113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'))

This call to net::http::SetCookie() contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, to inject additional headers or an entire response body into the response stream. Injecting headers can be used to trick various security mechanisms in browsers into allowing XSS style attacks. Injecting entire response bodies can not only cause XSS attacks to succeed but may even poison the cache of any intermediary proxies between the clients and the application server. The second argument to SetCookie() contains tainted data from the variable cookie. The tainted data originated from an earlier call to net.http.Request.FormValue. Escape, encode, or remove carriage return and line feed characters from untrusted data before inclusion in HTTP response headers. Whenever possible, use a security library such as ESAPI that provides safe versions of addHeader(), etc. that will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers/nDon't know how to fix this? Don't know why this was reported?
Get Assistance from Veracode
@veracode-workflow-app veracode-workflow-app bot added Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity labels Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Veracode Pipeline Scan A Veracode Flaw found during a Pipeline Scan VeracodeFlaw: Medium A Veracode Flaw, Medium severity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants