Recipe Name:
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon
Description:
Rejecting semicolons is more secure
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
Documentation
Disallowing semicolons in the URL is more secure, as they are frequently used to perform exploits, such as Reflected File Download attacks. Spring Security by default sets StrictHttpFirewall#setAllowSemicolon to false.
firewall.setAllowSemicolon(true);After
firewall.setAllowSemicolon(false);References
Recipe
id: scw:spring:security:stricthttpfirewall-semicolon
version: 10
metadata:
name: 'Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon'
shortDescription: Rejecting semicolons is more secure
level: warning
language: java
enabled: true
descriptionFile: descriptions/RejectSemicolons.html
tags: Spring;security;framework specific;Spring Security;web
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "true"
name: setAllowSemicolon
type: org.springframework.security.web.firewall.StrictHttpFirewall
availableFixes:
- name: Set setAllowSemicolon to false
actions:
- modifyArguments:
rewrite:
1: "false"