0

This question was flagged as a duplicate, but it is not, and the question referenced did not address javascript injection at all. And both answers provided below so far completely ignore the fact that I AM using the escapeXML attribute of the c:out tag, but it doesn't work. The issue is that javascript does not necessarily contain ANY HTML characters. I need to be able to prevent runnable javascript from being injected into my JSP code.

The organization that I develop for runs every web application through a code scanner to locate any potential vulnerabilities that may be contained in the code. We've had several found simply because our application was initially deployed long before XSS vulnerabilities were a thing. Normally these issues are easy to eliminate, since there is a significant body of work on Cross-site scripting and various injection techniques.

Technologies are: Java 8, jsp, Spring, Javascript, Oracle

However, I have come across a vulnerability that I can find very little discussion on...escaping javascript injection.

We have a url that takes a string as a RequestParam: testapp.com?stringValue=test

Our vulnerability checker injects an alert into the RequestParam: testapp.com?stringValue=test'+alert(6853)+'

The jsp page in question uses <c:out value="${stringValue}" escapeXML="true"/> to output the string in question. When the page renders, we get a javascript alert dialog that pops up on the page, indicating that the javascript injection was successful.

In this particular case, the data contained in stringValue is one of two expected values, and so it is easy to just check the RequestParam in the controller and if the value does not match one of the two expected values, throw an InvalidParameterException. But we have several cases where a string-based RequestParam can be anything, so the solution used above would not work.

I have spent several days researching this issue, and while there are plenty of suggestions as to how to eliminate injected HTML in a jsp application, I can find very little useful information about eliminating injected javascript, which to me seems like a much bigger issue, as injected javascript could do malicious things to a web application.

Does anyone have any useful recommendations as to how to resolve this issue?

Paul
  • 23
  • 5
  • The `escapeXml` parameter (`true` by default) does the escaping. That's the correct way to do things. The problem isn't there. – Kayaman Jun 23 '22 at 18:19
  • Kayaman, the escapeXML attibute will not strip out javascript code. Only markup. – Paul Jun 23 '22 at 19:54
  • You shouldn't need to strip it out, just make it unexecutable. How is the `alert()` even getting executed, are you outputting things inside a ` – Kayaman Jun 23 '22 at 20:12

1 Answers1

-1

Just escape it. I use this function:

function esc_attr(string) {
    if (!string) {
        return "";
    }
    return ("" + string).replace(/[&<>"'\/\\]/g, function (s) {
        return {
            "&": "&amp;",
            "<": "&lt;",
            ">": "&gt;",
            '"': '&quot;',
            "'": '&#39;',
            "/": '&#47;',
            "\\": '&#92;'
        }[s];
    });
}
IT goldman
  • 14,885
  • 2
  • 14
  • 28
  • IT goldman, none of the characters listed in your solution are contained in the functioning javascript code that was injected. I've tried this solution, and it does not work. – Paul Jun 23 '22 at 19:56
  • Escaping HTML should also escape the `<` before the script tag so it won't execute the JavaScript. btw, where is the ` – IT goldman Jun 23 '22 at 20:17