• Home
• org.codehaus.sonar-plugins.java
• java-checks
• 3.2
• source code
• S2089.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.java.rules.squid.S2089.html Maven / Gradle / Ivy

The fields in an HTTP request are putty in the hands of an attacker, and you cannot rely on them to tell you the truth about anything. While it may be safe to store such values after they have been neutralized, decisions should never be made based on their contents.
This rule flags uses of the referer header field.
Noncompliant Code Example

public class MyServlet extends HttpServlet {
  protected void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws ServletException, IOException {
    String referer = request.getHeader("referer");  // Noncompliant
    if(isTrustedReferer(referer)){
      //..
    }
    //...
  }
}

See


 MITRE, CWE-293 - Using Referer Field for Authentication
 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management