How to fix HTTP response header injection/HTTP Response Splitting

0 投票
最新提问 用户: (120 分)

I have a J2EE web application for which a scan using Burp Scanner Suite reported the following as a HTTP response header injection vulnerability.
The problem is when a CRLF character is injected in the request header/parameter, we are simply removing such characters from request so as to avoid Response Splitting issue but the Burp Scanner Suite still reports it as a high issue.

So my question is, "Is it not sufficient to simply remove CRLF characters from request to avoid HTTP Resonse Splitting issue and allow the request to proceed? or Should we throw an exception when such characters are found in request? How can it harm if CRLF characters has already been removed. Can someone explain with an example? [Screenshot of the issue reported by Burp Scanner ]:

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。