CRLF Injection [VID:22] #262
Labels
Veracode Policy Scan
A Veracode Flaw found during a Policy or Sandbox Scan
VeracodeFlaw: Medium
A Veracode Flaw, Medium severity
Filename: HammerHead.java
Line: 258
CWE: 117 (Improper Output Neutralization for Logs)
This call to org.slf4j.Logger.debug() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to debug() contains tainted data from the variable output. The tainted data originated from earlier calls to javax.servlet.ServletRequest.getRemoteHost, javax.servlet.ServletRequest.getParameterNames, and javax.servlet.ServletRequest.getParameterValues. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP WASC Supported Cleansers
The text was updated successfully, but these errors were encountered: