How to fix “Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')”

Question

After running VeraCode, it reported a following error \"Improper Neutralization of CRLF Sequences in HTTP Headers (\'HTTP Response Splitting\')\" in the following code fragm

Answer 1

Description

A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

Recommendations

Remove unexpected carriage returns and line feeds from user-supplied data used to construct an HTTP response. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

Issue Code

response.setHeader(headerKey,headerValue); 
response.addHeader(headerKey, headerValue);

Fixed Code

DefaultHTTPUtilities httpUtilities = new DefaultHTTPUtilities(); 
httpUtilities.setHeader(headerKey,headerValue); 
httpUtilities.addHeader(response, headerKey,headerValue);