Hi all,
I have an issue in my application. Attacker can manipulate the paths associated with files used by the application. it could print the contents of arbitrary files on the system.
So you should validate the URL, and make sure it only contains paths to files you want to allow. Never trust any user input. If an incorrect file is requested you could return a 403 (Forbidden) or a 404 (Not Found). Just make sure to always return the same code and not a 403 for files that exist and a 404 for files that don't exist, because that would leak out information about the presence of files.
Thanks, What would be the right way to validate the url that we are including in the jsp include.
In the below example, We can write code such that If url contains web.xml, dont include the file.
String url= dynamic value(In this case: WEB-INF/web.xml)
<jsp:include page='<%=url %>' flush="true"></jsp:include><br>
Instead of blacklisting (disallowing certain URLs such as WEB-INF/web.xml), I'd go for whitelisting instead - only allow those URLs that you actually want to include. This should be part of the code that determines the dynamic URL.
Thank you for the suggestion. But, I do have many urls to include dynamically and I am avoiding url for web.xml alone. So how can i whitelist in this case.
You say you're excluding web.xml only, but what about class files, tag files, etc? Everything inside WEB-INF should be shielded. Also, everything outside of your application should be shielded. So if you can make sure the whitelisting only contains resources within your application (e.g. disallow any form of .. to disallow going up one directory, make any absolute path relative to your application) and does not refer to anything in WEB-INF, then it should be safe to include these (as these resources are already public).