Jeremiah Grossman: HTTP Response Splitting Revelations


Jeremiah Grossman has released some additional information on pervasiveness and severity of HTTP Response Splitting (HRS1, not to be confused with HRS2 which is HTTP Request Smuggling).
While the recommendations are spot-on (input validation, output filtering), I'd say they're a bit incomplete:
1) Input validation should always be whitelist. The recommendation there was to remove carriage returns or linefeeds. My recommendation is don't allow it if it doesn't fit the model you're looking for.
2) (This is the more important). In my experience, it's almost never necessary to return a user's direct input as a header. The most common cases where I see Response Splitting/Header Injection are when a user preference cookie is set (what's your favorite background color?) or in redirects. If it's a user preference, that needs to be kept in the user's session, not as a cookie in the user's browser. And if it's a redirect, if you can exploit an HRS by a redirect, you've almost certainly got an open redirect issue as well.

So there's my amendment:
1) Business rule - whitelist input validation
2) Proper output filtering (some of the Java API's for writing cookies and headers will even throw exceptions if the output isn't properly encoded, but the behavior is inconsistent - some throw exceptions, others don't throw exceptions but encode for you, some do none of the above).
3) Look at the engineering - is the information you're putting in a cookie really necessary to put in a cookie? Does it make more sense to put in the session?