我是Veracode 的新手并且面临 CWE-117。我知道当您的记录器语句有可能通过传入的恶意请求参数值受到攻击时,Veracode 会引发此错误。因此我们需要从记录器语句中使用的变量中删除 /r 和 /n (CRLF)。 大多数新手会想知道应该使用什么方法从 logger 语句中传递的变量中删除 CRLF。有时 replaceAll() 也不会工作,因...
Fix Fortunately, this fix is very simple. Simply prevent the two characters of a CRLF sequence from being saved within this stream. Veracode’s recommended approach is to encode any input from users that is written to the log (although there are other fixes). In Java applications, it’s e...
我在一些论坛上读到这样的神话,即通过执行类似的操作就足以通过 Veracode CWE 117(日志的不正确输出中和)问题。有人可以确认情况是否如此吗?message.replaceAll("\r", "_").replaceAll("\n", "_"); Run Code Online (Sandbox Code Playgroud) 从这个主题How to fix Veracode CWE 117 (Improper Output ...
CWE 117: Improper Output Sanitization for Logsis a logging-specific example ofCRLF Injection. It occurs when a user maliciously or accidentally inserts line-ending characters (CR [Carriage Return], LF [Line Feed], or CRLF [a combination of the two]) into data that writes into a log. Beca...
500.12-应用程序正忙于在 Web 服务器上重新HttpCode 浏览器向服务器请求时,服务器响应的消息头里面...
Veracode 扫描表明此日志记录有Improper Output Neutralization for Logs并建议使用 ESAPI 记录器。有没有办法在不将记录器更改为 ESAPI 的情况下修复此漏洞?这是我遇到此问题的代码中唯一的地方,我试图弄清楚如何以最少的更改修复它。也许 ESAPI 有一些我没有注意到的方法?
Fix In general, fixing Information Leakage flaws means removing the offending information from user-facing output. To do this, you could amend the first example like this: warningDialogBox = this.myWidgetFactoryWrapper.createHtmlDialogBox()-warningDialogBox.setText("WARNING: Could not connect to ...