xss vulnerability with servletoutputstream.write

Question

    String id = request.getParameter("id") != null ? request.getParameter("id") : "0";
            aaaa doc = bbb.getdetailsById(id);    
            byte b[] = doc.getUploaded();        
            try {
                response.setContentType("APPLICATION/OCTET-STREAM");
                String disHeader = "Attachment;Filename=" + doc.getName();
                response.setHeader("Content-Disposition", disHeader);
                servletoutputstream = response.getOutputStream();
                servletoutputstream.write(b, 0, b.length);
}

I have this piece of code. the code audit tool says that the servletoutputstream.write(b, 0, b.length); is xss vulnerable. but i dont have any clue how it is reporting the same. and how to fix it. i am using ESAPI to validate the input and to escape the output in other xss vulnerable reported issue. do i need to do the same to these also? please give suggestions or solutions. after doing some research work i found that the byte b[] needs to be escape for the htmlESCAPE or xmlESCAPE by using ESAPI. will it solve the issue?

It seems like your code is sending some uploaded file or something? In such case, you don't want to modify it in any way. — Peter Štibraný, Jun 19 '12 at 07:35

amicngh · Answer 1 · 2012-06-19T09:27:47.907

if getUploaded() returns some javascript code which is uploaded by hacker<script>alert('hi')</script> then this may create problem.

You can try below solution to format the strings which comes with Spring framework.

HtmlUtils.htmlEscape("<script> alter(''hi)</script>")

Output:

&lt;script&gt; alter(''hi)&lt;/script&gt

You can JSTL library also to format the string containing javascript.

public static byte[] getFormatedString(byte[] string){

    String str=new String(string);
    str=HtmlUtils.htmlEscape(str);
    return str.getBytes();

}

Your Code :

String id = request.getParameter("id") != null ? request.getParameter("id") : "0";
    aaaa doc = bbb.getdetailsById(id);    
    byte b[] = doc.getUploaded();        
    try {
        response.setContentType("APPLICATION/OCTET-STREAM");
        String disHeader = "Attachment;Filename=" + doc.getName();
        response.setHeader("Content-Disposition", disHeader);
        servletoutputstream = response.getOutputStream();
        servletoutputstream.write(getFormatedString(b), 0, b.length);

It takes string as parameter so you can covert byte[] to string then format it and again convert it to byte[]. — amicngh, Jun 19 '12 at 07:53
does escaping either from htmlEscape or by the use of ESAPI by OWASP like ESAPI.encoder().encodeForHTML is the best solution foe these types of problem in xss? do you have any other solution or suggestion, as i cannot test this solution and had to deliver it directly to the client? — R.K.R, Jun 19 '12 at 10:15

score 1 · Accepted Answer · answered Jun 29 '12 at 09:58

1

Validate the input 'id' using ESAPI for example. Validate the fileName for FILE DOWNLOAD INJECTION using ESAPI. also validate the byte b[] using getVAlidatedFileContent() using ESapi.

This is a case of STORED XSS VULNERABILITY ISSUE.

answered Jun 29 '12 at 09:58

R.K.R

132
4
18

score 0 · Answer 3 · edited May 23 '17 at 12:01

0

If you use Spring MVC, there is a feature for the purpose, enabled as follows:

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

here is the clue

2nd clue

edited May 23 '17 at 12:01

Community

1
1

answered Jun 19 '12 at 07:21

user965347

186
2
16

can u please xplain what this is intended to do? is it from the esapi from the owasp? – R.K.R Jun 19 '12 at 07:24
Without any additional context or explanation, this is simply wrong. – Peter Štibraný Jun 19 '12 at 07:24
just got clicked not intensionally perfect now – R.K.R Jun 19 '12 at 07:31
The thing is that you need to use Spring MVC, otherwise this parameter has absolutely no effect. Also be aware that simple HTML escaping is not sufficient. See OWASP cross-site injection prevention cheatsheet for more details. – Peter Štibraný Jun 19 '12 at 07:32
ya i am using spring mvc. will u explain a bit what it will do ? also what do u mean by simple html encoding? i am using ESAPI.encoder().encodeForXML() to encode/escape some variable to prevent it from xss attack? is it corect or i need to do more/some thing else? – R.K.R Jun 19 '12 at 07:35
"defaultHtmlEscape" works similarly to calling `ESAPI.encoder().encodeForHTML` for all strings. However, exact encoding you need depends on where the data is being written. In HTML page there are many different contexts where you can write data (e.g. between html tags, inside html attribute, into javascript or css, into URL), and each of these places needs different encoding to avoid security problems. – Peter Štibraný Jun 19 '12 at 07:39
at some point i have got that blacklist encoding/escaping is not that useful. can u tell something about that? – R.K.R Jun 19 '12 at 07:55
I'm not sure what you mean by "blacklist encoding/escaping". Encoding/Escaping works, but you need to use proper escaping depending on the context. See here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet – Peter Štibraný Jun 19 '12 at 09:36

xss vulnerability with servletoutputstream.write

3 Answers3