-1

I am trying to improve the security of our web application by preventing XSS injection
I am using OWASP encoder library to escape characters : https://owasp.org/www-project-java-encoder/

The complete url has the following format : https://nom.domain.fr/auth/login?service=http://nom.domaine.fr/app/jsp/ServletControleur%3Ftraitement=accueil&ticket=XXX-XXXXX-XXXXXXXX where service get paramater contains the desired url to redirect

There is my code

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<%@ page import="java.util.Vector" %>
<%@ page import="org.owasp.encoder.Encode" %>

<%
  String serviceId = (String) request.getAttribute("serviceId");
  String token = (String) request.getAttribute("token");
  String service = null;
  if (serviceId.indexOf('?') == -1)
    service = serviceId + "?ticket=" + token;
  else
    service = serviceId + "&ticket=" + token;
  service =
    com.dev.util.StringUtil.substituteAll(service, "\n", "");
  service = 
    com.dev.util.StringUtil.substituteAll(service, "\r", "");
  service =
    com.dev.util.StringUtil.substituteAll(service, "\"", "");
  
  //tried replace & by url encoding %26 but it's not working
  service = service.replace("&", "%26");
  service = Encode.forHtml(service);
%>


<html>
<head>
<title>Authentication Service</title>
 <script type="text/javascript">        
        var service = "<%= service %>"
        window.location.href= service;
 </script>

</head>
</html>

The problem is that OWASP transform & character into & endlessly so window.location.href cause an infinite loop
I tried to replace & by %26 but it's not working unfortunately and has the same effect

Any idea how to solve the problem ?

Roman C
  • 49,761
  • 33
  • 66
  • 176
ulquiorra
  • 931
  • 4
  • 19
  • 39

1 Answers1

-1

You are using OWASP encoding interface wrong. Encode.forHtml() is never used for encoding URLs. Instead you should use Encode.forUriComponent().

Performs percent-encoding for a component of a URI, such as a query parameter name or value, path or query-string. In particular this method insures that special characters in the component do not get interpreted as part of another component.

<a href="http://www.owasp.org/<%=Encode.forUriComponent(...)%>?query#fragment">

<a href="/search?value=<%=Encode.forUriComponent(...)%>&order=1#top">

You should not encode the entire URL, nor any special characters such as & or =. However you can use & converted to &amp; and = converted to &#61; using a string replace method or the corresponding API method of the interface.

Roman C
  • 49,761
  • 33
  • 66
  • 176
  • It's important to note that what is being generated is not "a URL", it is a URL expressed as a JS string literal, in a HTML ` – Quentin Jun 17 '23 at 16:38
  • The variable is generated in JSP, *not* in JS code, and it is desired by OP to generate an URL for redirection. @Quentin – Roman C Jun 18 '23 at 11:32
  • It is generated by JSP which then injects the generated value into a JS string literal etc etc. It is not an HTTP level redirection. – Quentin Jun 18 '23 at 14:20
  • The generated value should be URL, but the code is using OWASP wrong method which encodes URL special characters and the value that is generated cannot be used for redirection @Quentin. – Roman C Jun 18 '23 at 17:47
  • Given the context, the generated value should have data encoded as a URL which (in turn) is encoded as a JS string literal which doesn't contain the sequence ``. – Quentin Jun 18 '23 at 18:47
  • It's not encoded as JS string literal, it's encoded as Java String. Then it's injected by the java variable in the generated html. It is used for non structured data to display text. But you can't do the same with any active data content. @Quentin – Roman C Jun 19 '23 at 16:50
  • Code from the question: `var service = "<%= service %>"`. That is a JavaScript string literal. `service` needs to a URL made safe for injection into a JS string literal made safe for injection into an HTML document. – Quentin Jun 19 '23 at 16:51
  • It is a JS variable and it does not exist when the code is rendered – Roman C Jun 19 '23 at 16:55
  • It is JavaScript source code that is generated by the JSP. There is nothing more vulnerable to XSS than that. I don't understand how you can claim it "does not exist". – Quentin Jun 19 '23 at 16:56
  • Then you should stop writing a valnerable code and use this answer to build the url. If you cannot build the url yourself then you can use a framework which is XSS safe in JSP. – Roman C Jun 19 '23 at 17:02
  • "Then you should stop writing a valnerable code" — I'm not the OP – Quentin Jun 19 '23 at 17:02
  • "this answer to build the url" — The problem that I'm pointing out is not that the URL is improperly generated, but that it is used to generate JS source code without any consideration given to generating the JS source code in a safe way. – Quentin Jun 19 '23 at 17:03
  • Url string is not a JS source code, but it can be injected from the request parameter. That's what I said to make safely generate a url string is in this answer. – Roman C Jun 19 '23 at 17:06
  • Again: `var service = "<%= service %>"` — The question is about generating JS source code. – Quentin Jun 19 '23 at 17:07
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/254152/discussion-between-roman-c-and-quentin). – Roman C Jun 19 '23 at 17:09