• Post Reply Bookmark Topic Watch Topic
  • New Topic

Url Encoding via jsp  RSS feed

 
sagar pandit
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I am having a Url that contains url parameters in the form of name value pairs.

But there is a problem,there is an XSS issue for that.

Suppose for eg: URL is http://localhost:8080/UrlEncode/UrlEncoderSample.jsp?name=vimal&id=0812573&NIC=vimal basdeo&f=nasha sahdjsa hk

And now if a user inserts any invalid data in any of the name -value pair, it allows to execute it.

Can please any one tell me how this url parameters can be encoded/encrypted through jsp so that user will not be able to insert anything?

 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65833
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
URL encoding has nothing to do with allowing or disallowing what can happen on the server. URL encoding is just the means that "special characters" such as &, space, and the like are encoded into the URL values.

What you need on the server is authentication and authorization so that users aren't allowed to do anything that they shouldn't be doing.
 
sagar pandit
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:URL encoding has nothing to do with allowing or disallowing what can happen on the server. URL encoding is just the means that "special characters" such as &, space, and the like are encoded into the URL values.

What you need on the server is authentication and authorization so that users aren't allowed to do anything that they shouldn't be doing.



Thanks for your reply,

But suppose I dont want the user to modify my name-value pair in url, what kind of authentication or authorization should i do.

Note that , the case is - There is a logon button, when I click on it there is a change in url where i get name-value pairs in url, and suppose if I change any of the value it still allows me to go to next page, which is a threat. Also I cant use the POST method as the client wants those parameters in the url.

So my query is suppose if attacker modifies

http://localhost:8080/UrlEncode/UrlEncoderSample.jsp?name=vimal&id=0812573&NIC=vimal basdeo&f=nasha sahdjsa hk As

something like

http://localhost:8080/UrlEncode/UrlEncoderSample.jsp?name=vimal%Alert("sagar")%&id=0812573&NIC=vimal basdeo&f=nasha sahdjsa hk

can the parameters be encoded so that if such kind of modifications are done he will get an error page or something.

Thanks

 
Ishan Pandya
Ranch Hand
Posts: 228
Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As bear said,

Do some validation on the server side for checking the request parameter (Url parameters as you say) then if you find something wrong then send the user to error page.

According to my knowledge there is no such thing which can stop user to modify the request parameter or encode URL. If you find then please tell us here.
 
sagar pandit
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ishan Pandya wrote:As bear said,

Do some validation on the server side for checking the request parameter (Url parameters as you say) then if you find something wrong then send the user to error page.

According to my knowledge there is no such thing which can stop user to modify the request parameter or encode URL. If you find then please tell us here.



Thanks Guys

I have done some validation to replace the invalid strings by white space. The alert doesnot show now. so there was no need of encryoting it.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!