Reputation: 376
How to avoid XSS with this bit of scriplet?
Using Checkmarx, this one page has multiple uses of the "request.getParameterNames()" and is flagged by Checkmarx as "CGI_Reflected_XSS_All_Clients" (Query Name). The page is "error.jsp" so it is a common page that is used across multiple apps in my company. This page gets displayed when an unexpected error occurs. Why this way? who knows, best to not show it and just log it out instead. I'm pretty new to the fixing code being reported as vulnerable by Checkmarx.
<h3>Request Parameters</h3>
<pre>
<%
lEnum = request.getParameterNames();
while(lEnum.hasMoreElements())
{
String key = (String)lEnum.nextElement();
String[] paramValues = request.getParameterValues(key);
for(int i = 0; i < paramValues.length; i++)
{
out.println(" " + key + " : " + paramValues[i]);
}
}
%>
</pre>
Upvotes: 0
Views: 500
Answers (2)
Reputation: 139
Use Spring-Web's HtmlUtils.htmlEscape(Variable) to sanitize parameters before passing to method.
Also, you can try
Variable=Variable.replace("'", ""); with it as well.
Use both on parameters before passing to method.
Upvotes: 0
Reputation: 18559
The values output to the page need to be escaped for HTML. Replace quotes, brackets, and ampersands with their entities. This can be done with libraries such as Guava like:
Escaper escaper = HtmlEscapers.htmlEscaper();
out.println(" " + escaper.escape(key) + " : " + escaper.escape(paramValues[i]));
Upvotes: 1
Related Questions
- XSS prevention in JSP/Servlet web application
- How to solve this XSS security issue in JSP page
- CheckMarx - Cross-Site-Scripting attack
- How do I prevent XSS in JSP scriptlet exceptions?
- How to sanitize HTML code to prevent XSS attacks in Java or JSP?
- Client Potential XSS without being properly sanitized or validated
- How to remove this XSS from JSP?
- how to stop XSS from non string parameter
- XSS attacks in jsp