I would prefer to split them because you have two possibilities: 1) fix the output 2) be more tolerant of input and maybe (safely?) try to suss out what happens, e.g. is there an attack scenario for an attacker injecting headers with an extra ; that are then parses in an HSTS scenario? I can't think of one, so it should be safe, but I could be wrong.
On Sun, Jul 3, 2022 at 10:36 AM Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) <[email protected]> wrote: > I see what you’re saying about the CWE-14[0-6] family being pretty limited > to input processing when the issue could exist because of input or > malformed output. Perhaps changing these to input/output would be more > inclusive of this type of issue. Good catch. > > > > *From:* Kurt Seifried <[email protected]> > *Sent:* Friday, July 1, 2022 8:37 PM > *To:* CWE-RESEARCH-LIST CWE RESEARCH DISCUSSION < > [email protected]> > *Subject:* [Non-DoD Source] Is there a CWE for this? > > > > I ran across this today while auditing CSA services quarterly: > > > > In bl.ink URL redirection service, as of 2022-07-01 an improperly > formatted security header exists in the HSTS support, specifically, the > header served is \"strict-transport-security: max-age=63072000; > includeSubdomains;\" which contains an extra semicolon (the final one is > not needed), this may result in some client ignoring the HSTS header and > thus rendering this security protection ineffective. > > > > there's some stuff for > inbound/input/malformed/configuration/directive/etc, but I'm not seeing > anything for malformed outbound configuration/output. > > > > -- > > Kurt Seifried (He/Him) > [email protected] > -- Kurt Seifried (He/Him) [email protected]
