I have a J2EE web application for which a scan using Burp Scanner Suite reported the following as a HTTP response header injection vulnerability.
The problem is when a CRLF character is injected in the request header/parameter, we are simply removing such characters from request so as to avoid Response Splitting issue but the Burp Scanner Suite still reports it as a high issue.
So my question is, "Is it not sufficient to simply remove CRLF characters from request to avoid HTTP Resonse Splitting issue and allow the request to proceed? or Should we throw an exception when such characters are found in request? How can it harm if CRLF characters has already been removed. Can someone explain with an example? [Screenshot of the issue reported by Burp Scanner ]: https://i.stack.imgur.com/Y1Upd.png