XSS Cross Site Scripting - Jsp <Input> tag

StackOverflow https://stackoverflow.com/questions/11940770

  •  26-06-2021
  •  | 
  •  

문제

The following piece of code in my JSP caused a cross site scripting vulnerability on the input tag.

<form name="acctFrm" method="post" action="<%=contextPath%>/form/acctSummary?rpt_nm=FIMM_ACCT_SUMM_RPT">
<table>
 <tr>
  <td>Account Id:</td>
  <td>
   <input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<%=rptBean.getAcctId()%>"/>
   <a href="javascript:doAcctSubmit()"><img class="tbl1" src="<%=contextPath%>/img/Submit.gif" border="0" /></a>
  </td>
 </tr>
</table>
</form>

During Penetration testing they were able to alert some random message to the user by injecting a alert script in the value attribute of the tag as follows

<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="1"><script>alert(12345)</script>" />

What is the problem here, and what would be the fix.

I was reading through some online references on XSS still I wasnt 100% sure on what could be the issue.

Any help would be greatly appreciated.

Thanks, Deena

도움이 되었습니까?

해결책

I have used the following solution,

The scriplet in the value attribute is the problem, I replaced it with jstl tag, I read somewhere that jstl tags have inbuild escaping mechanism to avoid xss issues. 

<input class="tbl1" type="text" id="acctId" name="acctId" size="20" maxlength="10" value="<c:out value=${rptBean.acctId}"/>"/>

This works good for my issue.

Thanks

다른 팁

It seems the penetration testers were able to manipulate their session such that rptBean.getAcctId() would return an arbitrary string. If they could inject quotes and a right bracket, they could "force close" the input tag and insert their own script tag.

It looks like penetration testers got the method to return the string 1"><script>alert(12345)</script>.

This indicates that you need to escape the data when writing to the page. I would suggest taking a look at the answer on escaping HTML in jsp.

Also, remember that code does not have to be "perfectly" formatted for a browser to render it "correctly". Here are some links on how attackers may try evade XSS filters:

Always treat user data as "dangerous" and take care when rendering it on a page.

It seems using jstl tag <c:out value=""> in value attribute will cause errors in jstl <form options> tags,

more info XSS prevention in JSP/Servlet web application

if getAcctId() returned data come from DB you can filter before sending to client. for example check is data should be a number.

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top