10.9 Do not allow custom header status messages

Information

The ability to specify custom status messages opens up the potential for additional headers to be injected. If custom header status messages are required make sure it is only in US-ASCII and does not include any user-supplied data.

Rationale:

Allowing user-supplied data into a header creates the potential for cross-site scripting (XSS).

Solution

To start Tomcat with USE_CUSTOM_STATUS_MSG_IN_HEADER set to false, add -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false to your startup script.

Default Value:

By default this is set to false.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/systemprops.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 581139e8eeb4210dc73eefa4f469c098a60c6056cb121405efafa9ffdb28e1e8