5

Is HTTP Response splitting possible in below case:

String requestFilename = request.getParameter("name");

response.addHeader("content-disposition", "attachment; filename=" + requestFilename);

I am directly appending the unsanitized request parameter to the reponse header.

My Question is that by using CRLF characters can we insert our own header into response.

So far i have tried \r\n and %0D%0A but they do not work.

Is response.addHeader() immune to such attacks?
Can someone explain it to me how this attack can be executed?

Improve this question
2
  • I would assume that addHeader is escaping whatever you pass it. Commented Mar 4, 2015 at 10:11
  • Looking for some definite answers. Please help Commented Mar 4, 2015 at 10:42

1 Answer 1

Reset to default
1

Whether http response splitting is possible in your case will depend on the servlet container that is hosting the code.

For example, Tomcat guards against common security vunerabilities, with the CORS Filter dealing with response splitting (at least for the incoming request).

Tomcat also filters the values written to the response - see Http11OutputBuffer (line 383), which prevents corrupt values being returned to the client should they somehow end up as a header value.

Never say never, but if you're using an upto date version of popular web-server like Tomcat, you should be safe from well known vunerabilities like response splitting.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.