0

New to pentesting. I ran a vulnerability analysis that points the application that I am testing has quite a few xss vulnerability.

Now how to proceed from here?

Report Screenshot

Source Code :

if(Name !=null)
        {

            if(Name.equals(server))
            {
                String appName = request.getParameter("appName");
                if(appName !=null && appName.equals(CommonUtil.getProductName()))
                {
                    message = addProductDetails(request, productName, message);
                }

            }
            else if(Name.equalsIgnoreCase(test))
            {

                ADSMPersUtil.updateSyMParameter("IS_INTEGRATED", "true");
                message = "Successfully Integrated";//No I18N
            }
            else{message = addProductDetails(request, productName, message);}
        }

        PrintWriter out = response.getWriter();
        response.setContentType("text/html");//No I18N
        out.println(message);
        out.close();
    }
    catch(Exception e){e.printStackTrace();}
}
Karthik Annavi
  • 1
  • 1

1 Answers1

0

If message is not HTML, then it needs to be HTML encoded before being inserted into a HTML stream. Characters like <, >, ", ', & need to be converted to their corresponding HTML entities.

With JSP, then the <c:out> tag does this encoding, and other templating languages have similar ways of doing this.

When writing to the OutputStream directly from Java, then you can use Java methods to do the escaping. See: Recommended method for escaping HTML in Java

If message is already HTML, then the code that generates the HTML similarly needs to escape any data values inserted within it.

With constant strings that don't contain any of these special characters, then you can treat it as a HTML string, or a plain-text string. It's more robust to escape these Strings anyway when outputting them, which prevents any XSS issues from being introduced if the strings change in the future, especially if they're being created in other methods.

fgb
  • 18,439
  • 2
  • 38
  • 52