What happens if you include unvalidated data in an HTTP response header?
This enables attacks such as cache-poisoning cross-site scripting cross-user defacement page hijacking cookie manipulation or open redirect. Including unvalidated data in an HTTP response header can enable cache-poisoning cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
What is header manipulation?
1. Data enters a web application through an untrusted source, most frequently an HTTP request. 2. The data is included in an HTTP response header sent to a web user without being validated. As with many software security vulnerabilities, Header Manipulation is a means to an end, not an end in itself.
What is the problem with HTTP headers?
The problem is that if value comes from user input he can attack your http headers. If he is able to insert CR (carriage return, also given by %0d or r) into the value, then he can add another headers into your http request (because http headers are separated by CR). Source: Nice web article about those attacks.
What happens if a method sends unvalidated data to a web browser?
The method sends unvalidated data to a web browser on line xx, which can result in the browser executing malicious code. Any idea how can I fix this? This line is not enough to understand the problem. Can you give a bigger snippet of code? (the important part is to understand if any user input is affecting your responseString).