Description
A function call contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and cross-site scripting attacks.
Recommendations
Remove unexpected carriage returns and line feeds from untrusted data used to construct an HTTP response. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
A simple string extension can resolve this issue:
public static string CRLFRemoval(this string token) { return token.Replace("%0d", string.Empty, StringComparison.InvariantCultureIgnoreCase) .Replace("%0D", string.Empty, StringComparison.InvariantCultureIgnoreCase) .Replace("\r", string.Empty) .Replace("\n", string.Empty) .Replace("%0a", string.Empty, StringComparison.InvariantCultureIgnoreCase) .Replace("%0A", string.Empty, StringComparison.InvariantCultureIgnoreCase); }
Links for reference:
https://en.wikipedia.org/wiki/HTTP_response_splitting
https://securiteam.com/securityreviews/5WP0E2KFGK
https://www.owasp.org/index.php?title=Testing_for_HTTP_Splitting/Smuggling_(OTG-INPVAL-017)