• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Cross Site scripting

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One vulnerabilty found in my application,that is cross site scripting .


JSP page :

<%@ page import="com.lpasystems.cmss.util.StringUtil" %>
<jsp:useBean id="project" class="com.lpasystems.cmss.ProjectBean" scope="application" />

<HTML>
<HEAD>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8">

<TITLE>User Access Type Tabs</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>

<SCRIPT LANGUAGE="JavaScript">

function onLoadTabDocument()
{
parent.parent.DynamicFrame.TabClicked("");
}

var sDoneLoading = 'DONE'

</SCRIPT>
</HEAD>

<%
out.write("<BODY bgcolor=\"" + project.getsTitleBgColor() + "\" text=\"" + project.getsTitleTextColor() + "\"");

// Called from AccessTabs with appropriate OnLoad function call

if(StringUtil.escapeForHTML(request.getParameter("OnLoadGenTabs")) == null) {
out.write(">");
} else {
out.write(" onLoad=\"" + StringUtil.escapeForHTML(request.getParameter("OnLoadGenTabs")) + "\">\n");
}
%>

</BODY>
</HTML>



StringUtil.java

public static String escapeForHTML(String someText) {

if (someText == null) {
return someText;
}

final StringBuffer result = new StringBuffer();
final StringCharacterIterator iterator = new StringCharacterIterator(someText);
char character = iterator.current();
while (character != CharacterIterator.DONE) {
if (character == '<') {
result.append("<");
}
else if (character == '>') {
result.append(">");
}
else if (character == '&') {
result.append("&");
}
else if (character == '\"') {
result.append(""");
}
else if (character == '\'') {
result.append("'");
}
else if (character == '(') {
result.append("(");
}
else if (character == ')') {
result.append(")");
}
else if (character == '#') {
result.append("#");
}
else if (character == '%') {
result.append("%");
}
else if (character == ';') {
result.append(";");
}
else if (character == '+') {
result.append("+");
}
else if (character == '-') {
result.append("-");
}
else {
// the char is not a special one
// add it to the result as is
result.append(character);
}
character = iterator.next();
}
return result.toString();
}

}


Url - this is the Url that is causing the vunerability

http://usa0300uz3456.apps.mc.xerox.com:10503/CMSS/jsp/GenTabs.jsp?OnLoadGenTabs=%3b%61%6c%65%
72%74%28%36%36%36%38%33%29%2f%2f

Parameter : OnLoadGenTabs

escaped the characters like <,%,> ..but still occuring this issue ..can you please help me how to fix this issue.






 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your escaper doesn't escape HTML.


This does nothing. If you encounter an open HTML tag character, you just let it through. Consider using the ESAPI encoder tag.

As an added wrinkle, you are calling the escape HTML inside of a JavaScript tag. You need to escape JavaScript characters too.
 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please help me how to fix this XSS issue.


Vulnerability


http://usa0300uz1346.apps.mc.xerox.com:10202/GCS/jsp/ActionBarMainFrame.jsp?DataFrameURL=PROBLEM/PSRevList.jsp&ToolbarSize=80%20%73%54%79%4c%65%3d%58%3a%65%58%
2f%2a%2a%2f%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%35%38%31%37%32%
29%29&BrowseTypeParam=PSR

Parameter: ToolbarSize

How can we restrict the junk values in Toolbarsize parameter…


http://usa0300uz1346.apps.mc.xerox.com:10202/GCS/jsp/ActionBarMainFrame.jsp?DataFrameURL=%6a%41%
76%41%73%43%72%49%70%54%3a%61%6c%65%72%74%28%35%38%38%35%38%29%
20&ToolbarSize=80&BrowseTypeParam=PSR

Parameter: DataFrameURL

How can we restrict the junk values in T DataFrameURL parameter…


ActionBarMainFrame.jsp

<%@ page import="com.lpasystems.gcs.util.StringUtil" %>
<jsp:useBean id="project" class="com.lpasystems.gcs.ProjectBean" scope="application"/>
<jsp:useBean id="client" class="com.lpasystems.gcs.ClientBean" scope="session"/>
<jsp:useBean id="server" class="com.lpasystems.gcs.Server" />
<HTML><HEAD>

<TITLE>Action Bar</TITLE>
<% response.addHeader("X-Frame-Options", "SAMEORIGIN"); %>


<%
client.validateUser("", out, request, response);

String sQueryString = server.passRequestParamsToNextPage(request);
String sToolBarSize = "80";

if (StringUtil.escapeForHTML(request.getParameter("ToolbarSize")) != null) {
sToolBarSize = StringUtil.escapeForHTML(request.getParameter("ToolbarSize"));
}


if (project.getbDebugFlag()) {
%>
<FRAMESET ROWS="99%,*" BORDER=0 FRAMESPACING=0 FRAMEBORDER=NO onLoad="frames[1].onLoadContent('INITIALIZELIST')">
<% } else { %>
<FRAMESET ROWS="100%,*" BORDER=0 FRAMESPACING=0 FRAMEBORDER=NO onLoad="frames[1].onLoadContent('INITIALIZELIST')">
<% } %>

<FRAME SRC=<%= project.getsTop() %>/jsp/ActionBarMainFrameVisual.jsp?ToolbarSize=<%= sToolBarSize %>
SCROLLING=AUTO MARGINHEIGHT=0 MARGINWIDTH=0 FRAMESPACING=0 FRAMEBORDER=NO NAME="VisualFrame">
<FRAME SRC=<%= StringUtil.escapeForHTML(request.getParameter("DataFrameURL")) + sQueryString %> SCROLLING=NO
MARGINHEIGHT=0 MARGINWIDTH=0 NORESIZE FRAMESPACING=0 FRAMEBORDER=NO NAME="DataFrame">
</FRAMESET>
</HTML>



In other jsp page we are using it as

else if (mode == 'D') {
top.TopContentFrame.TabContentFrame.location.href = dynamicFrame.project.sTop
+ "/jsp/ActionBarMainFrame.jsp?DataFrameURL=PROBLEM/PSRevList.jsp&ToolbarSize=80&BrowseTypeParam=PSR"
}

Can any one please help me how to fix this issue ….


StringUtil.escapeForHtml

we are using correct code for escapeForHtml method ,but i am unable to paste that code here ...

 
lakshmi gullapudi
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please guide me ,how to fix XSS in my application.
 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First of all, it's only been 13 hours since your post. Please don't bump topics - at least not that quickly. Many people only check the forums once a day. Or only on weekdays.

For toolbar size, you are expecting a number, right? Why not just whitelist and only allow numbers in there?

For DataFrameURL, you are going to need to do some debugging. Print out the before and after values to see if escapeForHtml is doing what you expect. That method was incorrect in one of your other posts, so I'm not convinced it is correct now. You have a far worse problem here though. You are allowing the user to specify (by URL) a frame that should be included in YOUR page. This means someone can pass a link to almost any website and have it show up looking like it is part of your website. You should restrict to a valid set of URLs. Ideally by passing a "key" rather than URL. But if you can't do that, you should at at least check the URL is on the same domain (and path) as your website/company.
 
He's giving us the slip! Quick! Grab this tiny ad!
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic