2

I was told by penetration test team that the below URL is causing XSS attack -

https://some-site.com/test/jsp/download_msg.jsp?&report_id=0&id=1369413198709cUjxb8IRCtTJcbYBHb0Qiph&id=1369413198709cUj

Here is my code of download_msg.jsp

        <% String download_msg = null;
           if (session == null || session.getAttribute("user") == null) {
               download_msg = "Error message";
           } else {
               download_msg =
              (OLSUser)session.getAttribute("user")).getReportInfo().getDownloadMsg();
           } 
        %>

       <html>
        <head>
         <SCRIPT LANGUAGE='JavaScript' SRC='/Test/test.js'></SCRIPT>
           <SCRIPT LANGUAGE='JavaScript'>init('StmsReps');</SCRIPT>
             <script language="JavaScript">
            function redirect() {
             if (window.focus)
            self.focus();
         this.location = "/test/DownloadReport?<%=request.getQueryString()%>";
    }
        </script>
     <title>XSS</title>
     </head>
      <body marginwidth='0' marginheight='0' onload='javascript:redirect()'>
         <table width='90%' height='100%' align='center' border='0' cellspacing='0'
            cellpadding='0'>               
      <tr>
    <td align='center' class='header2'> <%= download_msg %></td>
   </tr>
   </table>
   </body>
   </html>

I found that jstl can handle XSS attack. Can you please advice if do the below then will it be fine or do I need to do something else?

         <c:out value="<%= download_msg %>" escapeXml="true"/>
Sam
  • 244
  • 2
  • 5
  • 20
  • JSTL will protect you against XSS that comes from your server to your client, but not when going from client to server. – Luiggi Mendoza May 24 '13 at 20:27
  • In your example at bottom, that JSTL won't protect you against XSS. – Luiggi Mendoza May 24 '13 at 20:30
  • thanks for your reply! can you please suggest what I need to do here? – Sam May 24 '13 at 20:47
  • If you must use `escapeXml="true"` then sanitize your `${download_msg}` variable against XSS and then display it. For incoming data, there are frameworks like JSF that already [support XSS attacks](http://stackoverflow.com/q/7722159/1065197). – Luiggi Mendoza May 24 '13 at 20:59

1 Answers1

1

No. It is not sufficient

this.location = "/test/DownloadReport?<%=request.getQueryString()%>";

An attacker may be able to send a link with a query string like

?</script><script>alert(1337)//

or

?%22/alert('Pwned')

to naïve users who might click the link and execute the embedded code.

You have to apply appropriate escaping policies everywhere untrusted input is interpolated into a template.

I can't test these strings against your setup obviously, and they may not work if you test with them since browsers often do some normalization of query strings, but you shouldn't rely on that to protect you against HTML meta-characters in query strings.

Mike Samuel
  • 118,113
  • 30
  • 216
  • 245