XSS HTTP parameter pollution and getQueryString()

Question

I'm dealing with xss issues and found a problem I don't know how to solve it.

I've a report from Acunetx saying:

Details

POST (multipart) input query was set to idMenu=14&n907758=v929899
Parameter precedence: first occurrence
Affected link:
/MYAPP/jspfs/plantilla.jsp?idMenu=14&n907758=v929899&int1=-1&accion1=edit

Affected parameter: idMenu=14

In my jsp I've something like this:

          <input type="hidden" name="query" value="<%=StringEscapeUtils.escapeHtml4(request.getQueryString())%>" />

            <script>
              $(document).ready(function () {                    

                function send() {

                    location.href="<%=Utils.getParameter("ruta0") + "jspfs/plantillasTickets/plantillasTickets.jsp"%><%=query%>&idMenu=<%=idMenu%>&idioma="+valIdioma+"&grupo="+valGrupo;
                }
            </script>/>

So, the getQueryString() method used to mount the url is getting the value idMenu=14&n907758=v929899&int1=-1&accion1=edit which is interpreted as a new param n907758.

NOTE: To solve other xss issues, I'm using a filter where I canonize the request values, but in this case I've no clue how to distinguish the proper params of the injected one.

Any ideas to solve this?

Answer 1

I've solve the Acunetix attack with this changues in the code. Hope it can help someone to deal with this kind of problems.

        <%-- the imput query has been deleted --%>
        <script>
          $(document).ready(function () {                    

            function send() {

                <%
                    query = StringEscapeUtils.escapeHtml4(request.getQueryString());

                %>
                location.href="<%=Utils.getParameter("ruta0") + "jspfs/plantillasTickets/plantillasTickets.jsp" + query%>&idMenu=<%=idMenu%>&idioma="+valIdioma+"&grupo="+valGrupo;
            }
        </script>/>