It's not a secret anymore!*
The moose likes JSP and the fly likes Cross Site scripting Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Cross Site scripting" Watch "Cross Site scripting" New topic
Author

Cross Site scripting

lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
One vulnerabilty found in my application,that is cross site scripting .


JSP page :

<%@ page import="com.lpasystems.cmss.util.StringUtil" %>
<jsp:useBean id="project" class="com.lpasystems.cmss.ProjectBean" scope="application" />

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>User Access Type Tabs</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>

<SCRIPT LANGUAGE="JavaScript">

function onLoadTabDocument()
{
parent.parent.DynamicFrame.TabClicked("");
}

var sDoneLoading = 'DONE'

</SCRIPT>
</HEAD>

<%
out.write("<BODY bgcolor=\"" + project.getsTitleBgColor() + "\" text=\"" + project.getsTitleTextColor() + "\"");

// Called from AccessTabs with appropriate OnLoad function call

if(StringUtil.escapeForHTML(request.getParameter("OnLoadGenTabs")) == null) {
out.write(">");
} else {
out.write(" onLoad=\"" + StringUtil.escapeForHTML(request.getParameter("OnLoadGenTabs")) + "\">\n");
}
%>

</BODY>
</HTML>



StringUtil.java

public static String escapeForHTML(String someText) {

if (someText == null) {
return someText;
}

final StringBuffer result = new StringBuffer();
final StringCharacterIterator iterator = new StringCharacterIterator(someText);
char character = iterator.current();
while (character != CharacterIterator.DONE) {
if (character == '<') {
result.append("<");
}
else if (character == '>') {
result.append(">");
}
else if (character == '&') {
result.append("&");
}
else if (character == '\"') {
result.append(""");
}
else if (character == '\'') {
result.append("'");
}
else if (character == '(') {
result.append("(");
}
else if (character == ')') {
result.append(")");
}
else if (character == '#') {
result.append("#");
}
else if (character == '%') {
result.append("%");
}
else if (character == ';') {
result.append(";");
}
else if (character == '+') {
result.append("+");
}
else if (character == '-') {
result.append("-");
}
else {
// the char is not a special one
// add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}

}


Url - this is the Url that is causing the vunerability

http://usa0300uz3456.apps.mc.xerox.com:10503/CMSS/jsp/GenTabs.jsp?OnLoadGenTabs=%3b%61%6c%65%
72%74%28%36%36%36%38%33%29%2f%2f

Parameter : OnLoadGenTabs

escaped the characters like <,%,> ..but still occuring this issue ..can you please help me how to fix this issue.






Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30076
    
149

Your escaper doesn't escape HTML.


This does nothing. If you encounter an open HTML tag character, you just let it through. Consider using the ESAPI encoder tag.

As an added wrinkle, you are calling the escape HTML inside of a JavaScript tag. You need to escape JavaScript characters too.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
Please help me how to fix this XSS issue.


Vulnerability


http://usa0300uz1346.apps.mc.xerox.com:10202/GCS/jsp/ActionBarMainFrame.jsp?DataFrameURL=PROBLEM/PSRevList.jsp&ToolbarSize=80%20%73%54%79%4c%65%3d%58%3a%65%58%
2f%2a%2a%2f%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%35%38%31%37%32%
29%29&BrowseTypeParam=PSR

Parameter: ToolbarSize

How can we restrict the junk values in Toolbarsize parameter…


http://usa0300uz1346.apps.mc.xerox.com:10202/GCS/jsp/ActionBarMainFrame.jsp?DataFrameURL=%6a%41%
76%41%73%43%72%49%70%54%3a%61%6c%65%72%74%28%35%38%38%35%38%29%
20&ToolbarSize=80&BrowseTypeParam=PSR

Parameter: DataFrameURL

How can we restrict the junk values in T DataFrameURL parameter…


ActionBarMainFrame.jsp

<%@ page import="com.lpasystems.gcs.util.StringUtil" %>
<jsp:useBean id="project" class="com.lpasystems.gcs.ProjectBean" scope="application"/>
<jsp:useBean id="client" class="com.lpasystems.gcs.ClientBean" scope="session"/>
<jsp:useBean id="server" class="com.lpasystems.gcs.Server" />
<HTML><HEAD>

<TITLE>Action Bar</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>


<%
client.validateUser("", out, request, response);

String sQueryString = server.passRequestParamsToNextPage(request);
String sToolBarSize = "80";

if (StringUtil.escapeForHTML(request.getParameter("ToolbarSize")) != null) {
sToolBarSize = StringUtil.escapeForHTML(request.getParameter("ToolbarSize"));
}


if (project.getbDebugFlag()) {
%>
<FRAMESET ROWS="99%,*" BORDER=0 FRAMESPACING=0 FRAMEBORDER=NO onLoad="frames[1].onLoadContent('INITIALIZELIST')">
<% } else { %>
<FRAMESET ROWS="100%,*" BORDER=0 FRAMESPACING=0 FRAMEBORDER=NO onLoad="frames[1].onLoadContent('INITIALIZELIST')">
<% } %>

<FRAME SRC=<%= project.getsTop() %>/jsp/ActionBarMainFrameVisual.jsp?ToolbarSize=<%= sToolBarSize %>
SCROLLING=AUTO MARGINHEIGHT=0 MARGINWIDTH=0 FRAMESPACING=0 FRAMEBORDER=NO NAME="VisualFrame">
<FRAME SRC=<%= StringUtil.escapeForHTML(request.getParameter("DataFrameURL")) + sQueryString %> SCROLLING=NO
MARGINHEIGHT=0 MARGINWIDTH=0 NORESIZE FRAMESPACING=0 FRAMEBORDER=NO NAME="DataFrame">
</FRAMESET>
</HTML>



In other jsp page we are using it as

else if (mode == 'D') {
top.TopContentFrame.TabContentFrame.location.href = dynamicFrame.project.sTop
+ "/jsp/ActionBarMainFrame.jsp?DataFrameURL=PROBLEM/PSRevList.jsp&ToolbarSize=80&BrowseTypeParam=PSR"
}

Can any one please help me how to fix this issue ….


StringUtil.escapeForHtml

we are using correct code for escapeForHtml method ,but i am unable to paste that code here ...

lakshmi gullapudi
Greenhorn

Joined: Mar 18, 2013
Posts: 16
Please guide me ,how to fix XSS in my application.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30076
    
149

First of all, it's only been 13 hours since your post. Please don't bump topics - at least not that quickly. Many people only check the forums once a day. Or only on weekdays.

For toolbar size, you are expecting a number, right? Why not just whitelist and only allow numbers in there?

For DataFrameURL, you are going to need to do some debugging. Print out the before and after values to see if escapeForHtml is doing what you expect. That method was incorrect in one of your other posts, so I'm not convinced it is correct now. You have a far worse problem here though. You are allowing the user to specify (by URL) a frame that should be included in YOUR page. This means someone can pass a link to almost any website and have it show up looking like it is part of your website. You should restrict to a valid set of URLs. Ideally by passing a "key" rather than URL. But if you can't do that, you should at at least check the URL is on the same domain (and path) as your website/company.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Cross Site scripting
 
Similar Threads
Ajax call from HTML file not working
unable to pass request paramenter to onload javascript method.
Ajax and struts integration
Get Rows from a Table
How to detect escape key press in browser