Standard Analyses

SemmleCode Professional comes with a wide range of pre-packaged analyses, from architectural properties and metrics, to statement-level checks for likely bugs and violations of best practice.

HTTP Response Splitting Vulnerability

This query finds code that directly writes an HTTP parameter to an HTTP header, which allows for an HTTP response splitting vulnerability.

How to Interpret the Query Results

The query flags such code and also displays the list of detected occurrences in the result view.

How to Address the Query Results

See the references for general information about HTTP response splitting and how to guard against it.

Source Code
import default

class TaintRoot extends Method {
  TaintRoot() {
    this.hasName("getParameter") and
    this.getDeclaringType().hasQualifiedName("javax.servlet","ServletRequest")
  }   
}   

/** is e tainted, i.e. is it a call to a tainting method, or has it been assigned/has 
    it been constructed from a tainted value? */
predicate isTainted(Expr e) {
      ((MethodAccess)e).getMethod() instanceof TaintRoot
   or exists(AssignExpr ae | 
               ((VarAccess)ae.getDest()).getVariable()
                =
               ((VarAccess)e).getVariable() and
               isTainted(ae.getSource()))
   or exists(LocalVariableDeclExpr lvde | 
               ((VarAccess)e).getVariable() = lvde.getVariable() and
               isTainted(lvde.getInit()))
   or isTainted(((AddExpr)e).getAnOperand())
   or isTainted(((ParExpr)e).getExpr())
}


from MethodAccess ma, Method send
where ma.getMethod() = send and
      send.hasName("setHeader") and
      send.getDeclaringType()
          .hasQualifiedName("javax.servlet.http", "HttpServletResponse") and
      isTainted(ma.getArgument(1))
select ma, "HTTP parameter directly written to header"
References

Wikipedia article on HTTP response splitting

Article on HTTP response splitting
 
[ Back ]