• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JSP security: potential issue with arguments passed to a JSP?

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks,

Just wondering about something.
I'm cooking up a user-registration page where the users can enter their e-mail address, etc.
The servlet is set up to validate all the user details for username length, invalid characters and so on.
If the user has any invalid details, the servlet sends them back to the user-registration page (a JSP) and adds arguments like &username=Bob to fill out the form so the user doesn't have to fill the whole form again.

Currently, if the username etc. contain invalid characters e.g. ampersands, my servlet will not bother to send the username in the argument list, so as to avoid breaking it.
The problem is that according to the relevant RFC, some valid e-mail addresses may contain characters like the ampersand which will break my argument list. So I can't neglect to send the e-mail address.

I guess it's fine if the argument list is broken as long as it's only a minor user-experience issue which affects a very small number of users, but the main question is: is it technically possible to use a bad or broken argument list (e.g. by inputting a carefully-formatted "e-mail address") to cause an exploit? If so, what would render the page vulnerable/invulnerable to such an exploit?

Thanks in advance for any replies.

- NN
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Nat Ng wrote:I guess it's fine if the argument list is broken ....


Why don't you just make sure that the information is properly encoded?
 
Nat Ng
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:

Nat Ng wrote:I guess it's fine if the argument list is broken ....


Why don't you just make sure that the information is properly encoded?



Heh... Thanks. About 2 minutes after I sent that last message, I remembered that %-escaping is different from &-escaping. *major facepalm*

Is there some other channel by which I can pass information (error messages, etc) back from the servlet to the client without cluttering their address bar?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Is there some other channel by which I can pass information (error messages, etc) back from the servlet to the client without cluttering their address bar?


In the actual web page? Why would you put anything into the URL?
 
Nat Ng
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:

Is there some other channel by which I can pass information (error messages, etc) back from the servlet to the client without cluttering their address bar?


In the actual web page? Why would you put anything into the URL?



Whoops. More stupidity - I blame it on being new to this whole "doing stuff on server side" thing - keep getting this idea that JSPs are happening on the client, even though that's manifestly not the case.

More specifically: Right now the servlet is just passing the client, in the response, a redirect URL to a JSP with a bunch of arguments. Is there a way for me to pass the argument data direct from the servlet to the JSP, bearing in mind that the client has not logged in yet and is essentially unidentifiable, so the next time the client accesses the JSP, the form is nicely filled out for the user?

Now that I think about it, one way I could do it is to assign the client a session cookie right off the bat, from the first time they access anywhere on the site, to identify them - but this would require me to keep a separate bunch of persistent objects representing client sessions. Is there a more straightforward or less resource-intensive method?

Sorry, I really am very new to any kind of active server scripting/coding, so all these things which probably would be blindingly obvious to a veteran developer are simply not occurring to me.

Edit: It looks like this is no longer a security question really - should I just axe this and start a topic elsewhere? Not sure how formal this forum is about that stuff.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic