How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

Question

After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment:

protected override void InitializeCulture() {
        //If true then setup the ability to have a different culture loaded
        if (AppSettings.SelectLanguageVisibility) {
            //Create cookie variable and check to see if that cookie exists and set it if it does.
            HttpCookie languageCookie = new HttpCookie("LanguageCookie");
            if (Request.Cookies["LanguageCookie"] != null)
                languageCookie = Request.Cookies["LanguageCookie"];

            //Check to see if the user is changing the language using a query string.
            if (Server.UrlDecode(Request.QueryString["l"]) != null)
                languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

            //Check to make sure the cookie isn't null and set the culture variable to auto if it is and the value of the cookie if it isn't.
            if (languageCookie.Value == null)
                languageCookie.Value = string.Empty;

            string culture = languageCookie.Value.ToString();
            if (string.IsNullOrEmpty(culture))
                culture = "Auto";

            //Use to set the Culture and UI Culture.
            this.UICulture = culture;
            this.Culture = culture;
            if (culture != "Auto") {
                //If culture is changed set the new Current Culture and CurrentUICulture.
                System.Globalization.CultureInfo ci = new System.Globalization.CultureInfo(culture);
                System.Threading.Thread.CurrentThread.CurrentCulture = ci;
                System.Threading.Thread.CurrentThread.CurrentUICulture = ci;
            }

            //Update the cookie value with the new culture and initialize the culture.
            Response.Cookies.Set(languageCookie);
            Response.Cookies["LanguageCookie"].Expires = DateTime.Now.ToLocalTime().AddYears(1);
            Response.Cookies["LanguageCookie"].HttpOnly = true;
        }
        else {
            //Else keep language as English if localization is not enabled.
            this.UICulture = "en";
            this.Culture = "en";
        }

        base.InitializeCulture();
    }

The report points to the line containing following code:Response.Cookies.Set(languageCookie); What fix can be used to eliminate that error?

Thank's

Answer 1

The easiest way to remove this issue is to use ESAPI httputilities present in esapi jar. You can use

ESAPI.httpUtilities().setHeader(response,param,value);
ESAPI.httpUtilities().addCookies(response, param,value);

and similar methods for other tasks. You will need to have ESAPI.properrties set in you classpath. This is the way we implemented for Java. Same features are available for other languages too.

No additional work is required and it will solve the issue in veracode.

Answer 2

I believe the problem is because the line

languageCookie.Value = Server.UrlDecode(Request.QueryString["l"]);

accepts (untrusted) user input (i.e. Request.QueryString["l"]). Try adding a function call to remove any carriage returns or line feed characters (including their encoded equivalents like %0d and %0a) from that query string parameter before storing it in languageCookie.

For example, you might try changing that line to:

languageCookie.Value = Server.UrlDecode(Request.QueryString["l"])
                         .Replace("\r", string.Empty)
                         .Replace("%0d", string.Empty)
                         .Replace("%0D", string.Empty)
                         .Replace("\n", string.Empty)
                         .Replace("%0a", string.Empty)
                         .Replace("%0A", string.Empty);

though that should probably be cleaned up a bit (I'm not a C# programmer at this time).

See also

• http://en.wikipedia.org/wiki/HTTP_response_splitting
• http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
• https://www.owasp.org/index.php/Testing_for_HTTP_Splitting/Smuggling_(OWASP-DV-016)

Answer 3

It looks like a false positive as ASP.Net will automatically check the response headers and encode CRLF characters when the configuration option EnableHeaderChecking is true (the default value).This is available since version 2.0 of the .Net framework and will also protect the response header against CRLF chars present in the cookie name.

References:

• https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.enableheaderchecking?view=netframework-4.6.2

• https://referencesource.microsoft.com/#System.Web/HttpHeaderCollection.cs,e201dcca44935c73

I understand that the scanner cannot trust that the server settings will be correct so I went and did a few tests with a function that replaces any CRLF chars from the string used in the cookie name, but Veracode simply won't accept it.

It seems like the scanner will only accept sanitization code from a pre-defined list of utilities. I did quite a few tests with URLEncode (which will encode the CRLF chars) from a few of the approved utilities but yet no luck.

References:

• https://community.veracode.com/s/question/0D53400004DJusECAT/how-to-fix-crlf-http-response-splitting-in-java (though this answer refers to java it includes the link to the list of approved sanitizers, including C#)

• https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/IiF_rOE79ANbwnZwreSPGA

Answer 4

Description

A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

Recommendations

Remove unexpected carriage returns and line feeds from user-supplied data used to construct an HTTP response. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Issue Code

response.setHeader(headerKey,headerValue); 
response.addHeader(headerKey, headerValue);

Fixed Code

DefaultHTTPUtilities httpUtilities = new DefaultHTTPUtilities(); 
httpUtilities.setHeader(headerKey,headerValue); 
httpUtilities.addHeader(response, headerKey,headerValue);

Answer 5

One liner to replace all character causing CRLF using StringUtils. It works for me

StringUtils.replaceEach(strForCRLF, new String[] { "\n", "\r","%0d", "%0D", "%0a", "%0A" }, new String[] { "", "", "", "", "", "" });

Answer 6

In Asp.Net you have to check for two things first cookies must be httponly .You can specify that in your webconfig

<httpCookies httpOnlyCookies="true"/>

and after that make sure you have santized the that you are saving in your cookies like

HttpCookie cookies=new HttpCookies("key",Sanitizer.GetSafeHtml(value));

This sanitizer class is from ANtixss library. For details you can check this link Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE ID 113)