TechQA.

What would be the best way to get cookies from HttpServletRequest object?

1k views Asked by At

I have a method which is returning the cookie value, getting the cookie from an auto-wired HttpServletRequest object. I'm adding the same cookie to call another service in restClient. Everything is working fine, but when I ran Fortify scan, it has given a high-priority issue that request.getCookies() can cause Server-Side Request Forgery. What to do in this case?

I've tried validating the cookie string by doing this 

StringEscapeUtils.escapeXml(StringEscapeUtils.escapeHtml(StringEscapeUtils.escapeJavaScript(cookie.getValue())));

But its of no use.

The code is as follows: 

Cookie[] cookies = request.getCookies();

if (cookies == null ) {
    return EMPTY;
}

for (Cookie cookie : cookies) {
    if (HeaderConstant.ASESSIONID.equals(cookie.getName())) {
        return StringEscapeUtils.escapeXml(
               StringEscapeUtils.escapeHtml(
               StringEscapeUtils.escapeJavaScript(
               cookie.getValue())));
    }
}

So fortify is highlighting this line "Cookie[] cookies = request.getCookies();" as Server side request forgery

java servlets cookies fortify ssrf
Original Q&A
0

There are 0 answers

Related Questions in JAVA

Related Questions in SERVLETS

Related Questions in COOKIES

Related Questions in FORTIFY

Related Questions in SSRF

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions