Veracode CRLF Error

CRLF Injection (1 flaw) 
The acronym CRLF stands for "Carriage Return. Line Feed" and refers to the sequence of characters used to denote the end
of a line of text. CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not
properly validated before being used. For example. if an attacker is able to inject a CRLF into a log file, he could append
falsified log entries, thereby misleading administrators or cover traces of the attack. if an atlacker is able to inject CRLFS Into
an HTTP response header, he can use this ability to catry out other atlacks such as cache poisoning CRLF vulnerabilities
primarily affect dala integrity.

Apply robust inpul filtering for all user-supplied dala valdation.routines when possible. Use output
fillers to sanitize ail output denved from user supplled inpat. replacing non alchanumenc. characters with their HTML entity
Associated Flaws by CWE ID.
Improper Output Neutralization for Logs (CWE ID 117)(1 flaw)

Solution :

Log. info(ESAPI.encoder(). encodeForHTML(message)). 

Post a Comment


Featured post