1

I have an old legacy application at work I was assigned to fix its security vulnerabilities. We did an application assessment scan on it which showed XSS vulnerabilities. I was able to mitigate a lot of the form input by sanitizing it using a jsoup whitelist. Looking through the report I have a few areas where it was able to inject a numerical value into a long type parameter.

Here is the findings message:

The following changes were applied to the original request: Injected '622";alert(240)' into the value of parameter 'name_id'

Reasoning: The test result seems to indicate a vulnerability because the application successfully embedded a script in the response, which will be executed when the page loads in the user's browser.

Request/Response: GET /applicationName/name.jsp? name_id=622";alert(240)

The application is written in JSP/javascript for its presentation layer, and gets parameter values by calling the getParameter on the HttpRequestContext class.

Here is how the code receives the parameter value:

long nameID = request.getParameter("name_id", 0L);

How is a long type value being changed? Is it through the URL? If so how can this be mitigated or prevented?

if name_id is assigned to a long type variable in the code, how can: "name_id=622";alert(240)" be injected to it?

Ken de Guzman
  • 2,790
  • 1
  • 19
  • 33
eaglei22
  • 2,589
  • 1
  • 38
  • 53

1 Answers1

1

Basically, the XSS attack happens at client side inside the browser at user end.

The definition from Wikipedia:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

So, the data type used for nameId parameter at server side is not a concern over here. By looking at your scenario, it seems that the value of get parameter must be processed in client side JavaScript, which results into the script execution. So, if you are doing so and then rendering into the JSP page, then to protect against the XSS attack either JSTLs <c:out> tag or JSTLs fn:escapeXml can be used. The escapeXml function used in both the approaches escapes the XML entity, hence no script is executed in the users browser. So, the attack is prevented.

Please refer the first answer from the link:

XSS prevention in JSP/Servlet web application

Community
  • 1
  • 1
guru
  • 132
  • 1
  • 2
  • 10
  • Thanks! Escaping URL requests using xssflt.jar is what I needed and gathered from your reference. – eaglei22 Nov 04 '14 at 18:54
  • For output into a JavaScript context you should [hex entity encode](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_JavaScript_Data_Values), rather than XML or HTML encode. Although HTML encoding may work, this is not the correct way as symbols such as `&` will be output as `&` as the context is JS not HTML. – SilverlightFox Nov 05 '14 at 11:38