How to fix XSS vulnerabilites

Question

We're using fortify to scan java source code & it is complaining below error:

Method abc() sends unvalidated data to a web browser on line 200, which can result in the browser executing malicious code.

We've below code on line 200:

<a href="<%= Util.getProduct(request) %>">Product</a>

And Util.java hsa below code in getProduct method:

String prod = request.getParameter("prod");

Can any one tell me how to fix this XSS vulnerability?

Thanks!

Answer 1

You need to escape the output of Util.getProduct(request). Typically this is done using JSTL and a <c:out> tag and EL:

<a href="<c:out value="${Util.getProduct(request)}"/>" class="left_nav_link">Product</a>

N.B. you'll have to use a fairly up-to-date implementation of EL (as per JSTL or JSP 2.0 EL for getter with argument and Parameters in EL methods) in order to pass an argument to the getter method.

---

Since the code in your question contains scriptlets, I will strongly suggest that you read How to avoid Java code in JSP files? This question covers reasons to use JSTL+EL instead of scriptlets, as well as a bit of information about what those two acronyms actually refer to.

Answer 2

In case you don't have JSTL for this website, you can fix the problem by making sure you only print valid products:

public String getProduct( String prod ) throws InputValidationException {
    if (   prod.equals( "myProduct1" )
        || prod.equals( "myProduct2" )
        || prod.equals( "myProduct3" )
        // etc.           
    ) {
        return "/foo/page.jsp?product=" + safeProduct;
    }
    else {
        throw new InputValidationException( "Invalid product key provided." );
    }
}