XSS Cross Site Scripting - Jsp <Input> tag
Solution 1
I have used the following solution,
The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues.
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>
This works good for my issue.
Thanks
Solution 2
It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input
tag and insert their own script
tag.
It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>
.
This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.
Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:
Always treat user data as "dangerous" and take care when rendering it on a page.
Solution 3
It seems using jstl
tag <c:out value="">
in value attribute will cause errors in jstl
<form options>
tags,
more info XSS prevention in JSP/Servlet web application
Deena
Updated on July 11, 2022Comments
-
Deena almost 2 years
The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.
<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT"> <table> <tr> <td>Account Id:</td> <td> <input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/> <a href="javascript:doAcctSubmit()"><img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" /></a> </td> </tr> </table> </form>
During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows
<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />
What is the problem here, and what would be the fix.
I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.
Any help would be greatly appreciated.
Thanks, Deena