Deprecated test case
Description
CWE: 113 HTTP Response Splitting
BadSource: getParameterServlet Read data from a querystring using getParameter
GoodSource: A hardcoded string
Sinks: setHeaderServlet
GoodSink: URLEncode input
BadSink : querystring to setHeader()
Flow Variant: 41 Data flow: data passed as an argument from one method to another in the same class
Flaws
Test Suites
Documentation
Trace
-
-
CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.javaline 35
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
-
Files
src
main
java
testcases
CWE113_HTTP_Response_Splitting
CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.java
testcasesupport
AbstractTestCaseServlet.java
IO.java
manifest.sarif
xxxxxxxxxx
111 /* TEMPLATE GENERATED TESTCASE FILE
Filename: CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.java
Label Definition File: CWE113_HTTP_Response_Splitting.label.xml
Template File: sources-sinks-41.tmpl.java
*/
/*
* @description
* CWE: 113 HTTP Response Splitting
* BadSource: getParameterServlet Read data from a querystring using getParameter
* GoodSource: A hardcoded string
* Sinks: setHeaderServlet
* GoodSink: URLEncode input
* BadSink : querystring to setHeader()
* Flow Variant: 41 Data flow: data passed as an argument from one method to another in the same class
*
* */
package testcases.CWE113_HTTP_Response_Splitting;
import testcasesupport.*;
import javax.servlet.http.*;
import java.util.logging.Logger;
import java.net.URLEncoder;
public class CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41 extends AbstractTestCaseServlet
{
private void bad_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable
{
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable
{
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
bad_sink(data , request, response );
}
public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable
{
goodG2B(request, response);
goodB2G(request, response);
}
private void goodG2B_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable
{
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable
{
String data;
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
goodG2B_sink(data , request, response );
}
private void goodB2G_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable
{
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
data = URLEncoder.encode(data, "UTF-16");
response.setHeader("Location", "/author.jsp?lang=" + data);
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable
{
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
goodB2G_sink(data , request, response );
}
/* Below is the main(). It is only used when building this testcase on
its own for testing or for building a binary to use in testing binary
analysis tools. It is not used when compiling all the testcases as one
application, which is how source code analysis tools are tested. */
public static void main(String[] args) throws ClassNotFoundException,
InstantiationException, IllegalAccessException
{
mainFromParent(args);
}
}
Have any comments on this test case? Please, send us an email.