How to fix “Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')”

Question

After running VeraCode, it reported a following error \"Improper Neutralization of CRLF Sequences in HTTP Headers (\'HTTP Response Splitting\')\" in the following code fragm

Answer 1

It looks like a false positive as ASP.Net will automatically check the response headers and encode CRLF characters when the configuration option EnableHeaderChecking is true (the default value).This is available since version 2.0 of the .Net framework and will also protect the response header against CRLF chars present in the cookie name.

References:

• https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.enableheaderchecking?view=netframework-4.6.2

• https://referencesource.microsoft.com/#System.Web/HttpHeaderCollection.cs,e201dcca44935c73

I understand that the scanner cannot trust that the server settings will be correct so I went and did a few tests with a function that replaces any CRLF chars from the string used in the cookie name, but Veracode simply won't accept it.

It seems like the scanner will only accept sanitization code from a pre-defined list of utilities. I did quite a few tests with URLEncode (which will encode the CRLF chars) from a few of the approved utilities but yet no luck.

References:

• https://community.veracode.com/s/question/0D53400004DJusECAT/how-to-fix-crlf-http-response-splitting-in-java (though this answer refers to java it includes the link to the list of approved sanitizers, including C#)

• https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/IiF_rOE79ANbwnZwreSPGA