HTTP Response Splitting (S5167) no longer make sense in 2021 with modern web frameworks


We made a change related to the rule S5167 which detects HTTP Response Splitting vulnerabilities for Java, C#, PHP, Python and JS/TS. We decided to mark it as deprecated, remove it from the “Sonar Way” quality profile and to replace it with more precise and useful rules.

While reviewing the issues raised by this rule on open-source projects, we realized that today in 2021, most of the them were false-positives because modern web frameworks (.Net Core MVC, Spring, Flask, etc) have a builtin protection against HTTP Response Splitting attacks.

The valuable findings detected by S5167 are now reported under the umbrella of the following rules:

  • S5146: “HTTP request redirections should not be open to forging attacks”. This covers the case when the “Location” header can be tainted by a user.
  • S6287: “HTTP responses should not be vulnerable to session fixation”. This cover the case when the “Set-Cookie” header or the “SessionId” cookie (depending on the language it is called differently) can be tainted by a user.

As a consequence, don’t be surprised if you see issues related to S5167 being removed and some new issues raised by S5146 or S6287.

This change is available on SonarCloud and will be included in SonarQube Developer Edition 9.2.



The csharp rule description in sonarcloud for S5167 mentions three replacements.

The second and third links bring up an empty page