I would prefer to split them because you have two possibilities: 1) fix the output 2) be more tolerant of input and maybe (safely?) try to suss out what happens, e.g. is there an attack scenario for an attacker injecting headers with an extra ; that are then parses in an HSTS scenario? I can't think of one, so it should be safe, but I could be wrong.
On Sun, Jul 3, 2022 at 10:36 AM Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA) <jonathan.w.hood6....@army.mil> wrote: > I see what you’re saying about the CWE-14[0-6] family being pretty limited > to input processing when the issue could exist because of input or > malformed output. Perhaps changing these to input/output would be more > inclusive of this type of issue. Good catch. > > > > *From:* Kurt Seifried <k...@seifried.org> > *Sent:* Friday, July 1, 2022 8:37 PM > *To:* CWE-RESEARCH-LIST CWE RESEARCH DISCUSSION < > CWE-RESEARCH-LIST@mitre.org> > *Subject:* [Non-DoD Source] Is there a CWE for this? > > > > I ran across this today while auditing CSA services quarterly: > > > > In bl.ink URL redirection service, as of 2022-07-01 an improperly > formatted security header exists in the HSTS support, specifically, the > header served is \"strict-transport-security: max-age=63072000; > includeSubdomains;\" which contains an extra semicolon (the final one is > not needed), this may result in some client ignoring the HSTS header and > thus rendering this security protection ineffective. > > > > there's some stuff for > inbound/input/malformed/configuration/directive/etc, but I'm not seeing > anything for malformed outbound configuration/output. > > > > -- > > Kurt Seifried (He/Him) > k...@seifried.org > -- Kurt Seifried (He/Him) k...@seifried.org