XSS vulrenability in

Question

Summary: The <p:confirmDialog message> attribute does not escape HTML, hereby opening a potential XSS attack hole. How can I solve it?

Original question below (original title was: XSS Attacks : How to prevent Script injection in Response of application):

I am working JSF Application currently i am facing issue with xss attacks i have done several research on it. but not able to find the solution. i am using OWASP tool for testing. i am able to prevent xss attacks in request but not for response. For request i used filter which filters the request and giving the correct output but the response is not handled by same solution. once the response comes from application control goes to OWSAP then I am injecting Script inside it and its get displayed on the browser :(

Xhtml Code:

<p:panel header="Regions">
            <p:dataTable id="regionsTable" 
                var="region" 
                value="#{regionsBean.regions}" 
                rowKey="#{region.id}" 
                selectionMode="single" 
                selection="#{regionsBean.selectedRegion}">

                <p:column styleClass="colID">
                    <f:facet name="header">ID</f:facet>
                    <h:outputText value="#{region.id}" />
                </p:column>

                <p:column>
                    <f:facet name="header">Region</f:facet>
                    <h:outputText value="#{region.regionDescription}" />
                </p:column>


                <p:column  styleClass="colActionRegions">
                    <f:facet name="header">Action</f:facet>
                    <p:commandLink id="deleteRegionLnk"
                        oncomplete="deleteRegionConfirm.show()" update=":regionForm:dltDlg">
                        <p:graphicImage value="/resources/images/delete1616.png"/>
                        <f:setPropertyActionListener value="#{region}" target="#{regionsBean.forDelete}" />
                    </p:commandLink>
                    <p:tooltip id="toolTipDelete" for="deleteRegionLnk" value="Delete" showEffect="fade" hideEffect="fade" />
                </p:column>
    </p:dataTable>
      </p:panel>

        <p:confirmDialog id="dltDlg" message="You are about to delete the Region [#{regionsBean.forDelete.regionDescription}]. Proceed?" header="Delete Region" severity="alert" widgetVar="deleteRegionConfirm">

            <p:commandButton id="confirm" value="Yes" styleClass="iot-button" update="regionsTable,growl" oncomplete="deleteRegionConfirm.hide()" actionListener="#{regionsBean.delete}" style="color: #FFF"/>
            <p:commandButton id="decline" value="Cancel" styleClass="iot-button" onclick="deleteRegionConfirm.hide()" type="button" style="color: #FFF"/> 

        </p:confirmDialog>

response in OWSAP:

If You see the above code here i am inserting alert <.script>confirm(1);<./script>. tag.

The solution which i tried :

1) Filter which is working for request not for response.

2) used escape attribute

3) Content Security Policy inside tag (i am using mozila firefox)

 <meta http-equiv="Content-Security-Policy" content="script-src  'self' https://apis.google.com;" />

Thanks For your help in advance.

score 3 · Accepted Answer · edited May 23 '17 at 11:59

3

After reading three times, your fairly convoluted question boils down to:

The <p:confirmDialog message> attribute does not escape HTML, hereby opening a potential XSS attack hole. How can I solve it?

This is a known issue which was already fixed since PrimeFaces 3.5. Further the <p:confirmDialog header> has also a XSS vulrenability which is only fixed since PrimeFaces 5.2 RC1. PrimeFaces is currently already available as 5.3. So, just upgrade to latest and this problem should disappear.

If you really can't upgrade, below are your options:

Make sure that user-controlled input never ends up in <p:confirmDialog message>. It's only vulrenable when enduser has full control over its value.
Or, rebuild the older versioned JAR to include the fix.
Or, escape it yourself beforehand using JSTL #{fn:escapeXml()} function.
```
<p:confirmDialog message="#{fn:escapeXml(bean.message)}" />
```
Don't forget to remove after a upgrade to at least PrimeFaces 5.2, otherwise it will be double-escaped.

To be clear, JSF is designed to have builtin XSS prevention over all place. When you discover a XSS hole while already using the most recent version of the JSF implementation or JSF library, then it's just a bug which you should by all means report to the JSF impl/library guys. See also CSRF, XSS and SQL Injection attack prevention in JSF.

edited May 23 '17 at 11:59

Community

1
1

answered Dec 26 '15 at 09:57

BalusC

1,082,665
372
3,610
3,555

Thanks for response. I am using primefaces 3.4.2 is there any wayout for this problem. as i am seeing there is change in src/main/java/org/primefaces/component/confirmdialog/ConfirmDialogRenderer.java as fix in 5.2 so i need to modify the jar of 3.4.2 and need to test – vinod Dec 26 '15 at 10:04
and for escape i tried this alternative for the message of p:confirmDialog – vinod Dec 26 '15 at 10:06
Thanks for answers update @balusC you always hope for us :) let me check with the fixes – vinod Dec 26 '15 at 10:14
Am I right to believe that `of:escapeJS` would be better than `fn:escapeXml`? – ForguesR Oct 16 '17 at 19:02
@ForguesR: Use of:escapeJS() if you need to print the value as part of actual JavaScript code. Use fn:escapeXml() if you need to print the value as part of actual X(HT)ML value. – BalusC Oct 16 '17 at 19:48

Tom · Answer 2 · 2015-12-25T18:59:34.277

0

Content-Security-Policy (CSP) is usefull and you should continue using it. But it should be in an http header, not in a html meta. And, it's only a protection against bug (like the one you have).
You have an inline script. Your CSP do NOT allow inline script (and it's GOOD because inline script are bad for security. Do not use them. Put javascript in javascript file. (if you read more about csp, keywords containing the word 'unsafe' contain if for a good reason)
The code generating :"You are about to delete the Region [confirm(1);]. Proceed?"

message="You are about to delete the Region [#{regionsBean.forDelete.regionDescription}]. Proceed?"

SHOULD have encode regionsBean.forDelete.regionDescription . Are you able to produce yourself the injection ? (without the OWASP tools?)

edited Dec 25 '15 at 18:59

answered Dec 25 '15 at 17:26

Tom

4,666
2
29
48

thanks for your response. I am Using OWASP tool for testing, ON my xhtml i am using when i am clicking on delete button its showing this confirm dialouge box but before showing that in OWASP response i am inject inline JS alert. and the response is in Javascript – vinod Dec 25 '15 at 17:31
@vinod sorry, but "what is the code generating that HTML" I mean, what is the code in YOUR application that generate "You are about to delete the Region [name_of_the_region]. Proceed?" – Tom Dec 25 '15 at 17:34
Thanks. Can you edit your question to show the code genetating the content inside ? How do you insert the name of the region in the sentence "You are about to delete the Region [name_of_the_region]. Proceed?" ? – Tom Dec 25 '15 at 17:40
i have added all code hope this will be easier to understand. Thanks – vinod Dec 25 '15 at 18:02
I've edit my answer, but I can't help you further. With your question now improved, I hope some JSP folks can help you – Tom Dec 25 '15 at 19:01

XSS vulrenability in

2 Answers2