1

I am developing a web application using java servlets and jsps. I wanted to make sure my application is secure, that's why I ran some tools and got the reports regarding cross-site scripting. Please find the below code:

SampleServlet.java:

String key = ExternalAuthentication.startExternalAuthentication(request);
request.setAttribute("authParam", authParam);       
out.write("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"> \n");
        out.write("<html><body onload=\"document.forms[0].submit()\">\n");
        out.write("<form method=\"POST\" action=\"" + request.getContextPath() + targetPage + "\">\n");
        out.write("<input type=\"hidden\" name=\"actionUrl\" value=\"" + actionUrlBuilder.toString() + "\"/>\n");
        out.write("<input type=\"hidden\" name=\"authParam\" value=\"" + request.getAttribute("authParam") + "\"/>\n");
        out.write("</form>\n</body>\n</html>\n");

The above `setAttribute` will be used in JSP by saying

in jsp: 

// I am referring to the request attributes that have been contaminated. - comment from tool
//for context HTML double quoted is not properly sanitized for attribute, request.getAttribute ( "authParam" ) linked to an
//HTML page of There is a risk that lead to cross-site scripting - comment from tool
request.getAttribute("authParam");

Can anyone suggest how to fix it? Is it required to encode the authParam value before setting into the request?

M.S.Naidu
  • 2,239
  • 5
  • 32
  • 56
  • 1
    Setting and getting attributes to/from the request is never going to cause any XSS issue. What matters is what you're doing with the attribute, and we can't know that from what you posted. The only thing we can deduce is that you have Java code inside your JSPs, which is, by itself, a bad practice. – JB Nizet Nov 12 '15 at 07:42
  • Hello @JBNizet, thank you for your suggestion. Please observe the comments(comments from tool) like "it is holding the pollution data as a request attribute". – M.S.Naidu Nov 12 '15 at 08:47
  • Let's make a car analogy. A car can potentially be dangerous if you do stupid things with it on the road, right. All the tool is telling you, right now is "Beware: you stored a car in your garage". That is not a problem at all. The problem might come when you start driving the car on the road. To leave the analogy: the problem might come when you start doing something, with authParam, like printing it, in the HTML being generated by the JSP. But since we have no idea of what you're doing with authParam, we can't tell anything. – JB Nizet Nov 12 '15 at 09:20
  • Hi @JBNizet, sorry for incomplete details, we are not printing authParam any where, after setting in the request as an attribute, we will this as input hidden variable and displaying the jsp page(login) and we need the same authParam when the user entered details and submit to the server through the same jsp page(login). Please let me know if you are still not clear – M.S.Naidu Nov 12 '15 at 09:28
  • If you use it as a hidden input value, you ARE printing it in the generated HTML. Just because the user can't see it in a browser doesn't mean it isn't part of the HTML. Do you understand what an XSS attack is? Why don't you post the relevant code? – JB Nizet Nov 12 '15 at 09:55
  • @JBNizet, Please find the relevant code – M.S.Naidu Nov 12 '15 at 11:42
  • We still have no idea what authParam is, and where it comes from. We still don't have any idea of what you do with it in the JSP. And you're using a servlet to generate HTML: that's exactly what JSPs are for. Anyway, since you're writing its value in the HTML generated by the servlet, unless you can be absolutely sure that it doesn't contain any HTML special character, you MUST escape it before writing it. – JB Nizet Nov 12 '15 at 13:09

1 Answers1

2

we will this as input hidden variable and displaying the jsp page(login)

Try using either of the following:

  • c:out : <c:out value="${authParam}" />
  • JSTL EL fn:escapeXml method : ${fn:escapeXml(authParam)}

Both of these escape data for either a data state context or an HTML double-quoted attribute context. The value authParam will be searched from the JSP page scope first then request attribute. If you want to only search the request attributes, prefix with requestScope, such as requestScope.authParam, in case you also set a variable in the page scope.

However, your question is a duplicate of this question. I don't have enough reps to flag as such.

Community
  • 1
  • 1
coastalhacking
  • 307
  • 2
  • 13
  • I am writing jsp code in the servlet only using PrintWriter in my above shown code, Shall i use EL in the servlet – M.S.Naidu Nov 16 '15 at 06:34
  • OK I misunderstood. You'll need to use an escaping / encoding library. You're currently outputted data into an HTML double-quoted attributes. These should work: [Spring HtmlUtils.htmlEscape](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/util/HtmlUtils.html#htmlEscape-java.lang.String-), [Coverity Escape.html](http://coverity.github.io/coverity-security-library/com/coverity/security/Escape.html#html%28java.lang.String%29), [OWASP ESAPI](https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API) – coastalhacking Nov 16 '15 at 14:48