XSS Cross Site Scripting - Jsp <Input> tag

xss cross-site

26,499

Solution 1

I have used the following solution,

The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues.

<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>

This works good for my issue.

Thanks

Solution 2

It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input tag and insert their own script tag.

It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>.

This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.

Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:

Always treat user data as "dangerous" and take care when rendering it on a page.

Solution 3

It seems using jstl tag <c:out value=""> in value attribute will cause errors in jstl <form options> tags,

more info XSS prevention in JSP/Servlet web application

26,499

Author by

Deena

Updated on July 11, 2022

Comments

Deena almost 2 years

The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.

<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT">
<table>
 <tr>
  <td>Account Id:</td>
  <td>
   <input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/>
   <a href="javascript:doAcctSubmit()"><img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" /></a>
  </td>
 </tr>
</table>
</form>

During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows

<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />

What is the problem here, and what would be the fix.

I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.

Any help would be greatly appreciated.

Thanks, Deena

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?

How to troubleshoot crashes detected by Google Play Store for Flutter app

Cupertino DateTime picker interfering with scroll behaviour

Why does awk -F work for most letters, but not for the letter "t"?

Flutter change focus color and icon color but not works

How to print and connect to printer using flutter desktop via usb?

Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0

Flutter Dart - get localized country name from country code

navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage

Android Sdk manager not found- Flutter doctor error

Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)

How to change the color of ElevatedButton when entering text in TextField

How to use Encode.forHtml() in a javascript file?

ESAPI for XSS prevention not working

angularjs + cross-site scripting preventing

Avoid XSS and allow some html tags with JavaScript

Default escaping in Freemarker

WARNING: sanitizing unsafe style value background-color

What would cause a java process to greatly exceed the Xmx or Xss limit?

varchar vs text - MySQL

MvcHtmlString.ToHtmlString() not encoding HTML?