Deprecated test case
Description
CWE: 113 HTTP Response Splitting
BadSource: getParameterServlet Read data from a querystring using getParameter
GoodSource: A hardcoded string
Sinks: setHeaderServlet
GoodSink: URLEncode input
BadSink : querystring to setHeader()
Flow Variant: 41 Data flow: data passed as an argument from one method to another in the same class
Flaws
Test Suites
Documentation
Trace
-
-
CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.javaline 35
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
-
Files
src
main
java
testcases
CWE113_HTTP_Response_Splitting
CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.java
testcasesupport
AbstractTestCaseServlet.java
IO.java
manifest.sarif
xxxxxxxxxx111 /* TEMPLATE GENERATED TESTCASE FILEFilename: CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41.javaLabel Definition File: CWE113_HTTP_Response_Splitting.label.xmlTemplate File: sources-sinks-41.tmpl.java*//* * @description * CWE: 113 HTTP Response Splitting * BadSource: getParameterServlet Read data from a querystring using getParameter * GoodSource: A hardcoded string * Sinks: setHeaderServlet * GoodSink: URLEncode input * BadSink : querystring to setHeader() * Flow Variant: 41 Data flow: data passed as an argument from one method to another in the same class * * */package testcases.CWE113_HTTP_Response_Splitting;import testcasesupport.*;import javax.servlet.http.*;import java.util.logging.Logger;import java.net.URLEncoder;public class CWE113_HTTP_Response_Splitting__getParameterServlet_setHeaderServlet_41 extends AbstractTestCaseServlet{ private void bad_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable { /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from request */ data = request.getParameter("name"); bad_sink(data , request, response ); } public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable { goodG2B(request, response); goodB2G(request, response); } private void goodG2B_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable { /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } /* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; goodG2B_sink(data , request, response ); } private void goodB2G_sink(String data , HttpServletRequest request, HttpServletResponse response) throws Throwable { /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.setHeader("Location", "/author.jsp?lang=" + data); } /* goodB2G() - use badsource and goodsink */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from request */ data = request.getParameter("name"); goodB2G_sink(data , request, response ); } /* Below is the main(). It is only used when building this testcase on its own for testing or for building a binary to use in testing binary analysis tools. It is not used when compiling all the testcases as one application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); }}Have any comments on this test case? Please, send us an email.