Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon

Description:
Rejecting semicolons is more secure
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Documentation

Disallowing semicolons in the URL is more secure, as they are frequently used to perform exploits, such as Reflected File Download attacks. Spring Security by default sets StrictHttpFirewall#setAllowSemicolon to false.

Before
firewall.setAllowSemicolon(true);
After
firewall.setAllowSemicolon(false);
References
Recipe
id: scw:spring:security:stricthttpfirewall-semicolon
version: 10
metadata:
  name: 'Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon'
  shortDescription: Rejecting semicolons is more secure
  level: warning
  language: java
  enabled: true
  descriptionFile: descriptions/RejectSemicolons.html
  tags: Spring;security;framework specific;Spring Security;web
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "true"
    name: setAllowSemicolon
    type: org.springframework.security.web.firewall.StrictHttpFirewall
availableFixes:
- name: Set setAllowSemicolon to false
  actions:
  - modifyArguments:
      rewrite:
        1: "false"