Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
    Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

JSTL c:out in Anchor tag

 
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Hi,


How to use the JSLT c:out tag value inside the ANCHOR tab (a href)? i have the below a href,


<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

Here instead of using the JSP expression i need to use <c:out> to prevent XSS attacks , please let me know the below is fine ?

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>

If not what is the best way to prevent the XSS attacks from here in the above a href tag. Please clarify.

Thanks


 
Sheriff
Posts: 67620
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
I din't see any problems with it. Did it work when you tried it?
 
Marshal
Posts: 3760
536
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Where is the XSS vulnerability in your example?  Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?
 
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Aren't those effectively the same thing?
You're just setting the value to whatever userId is.
As Ron says, that's not going to have any effect on XSS, if userId is unsafe.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Hi Team,

It is being reported by the security team the below URL where we are passing the userId is susceptible to XSS attacks, so they were asking to escape or HTML encode it .

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

I read that using c:out or fn:escapeXml we can make sure the value passed is safe and not susceptible to XSS security attacks.

To answer the below query,

Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?

Yes, for this value only i am thinking of using <c:out value> -

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>  

Please let me know this is the right way to sanitized/escaped before send to browser?

Thanks in advance.
 
Sheriff
Posts: 16767
281
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
I think you've got it backwards. You're talking about information you have (the userId) that you're putting into the URL that is contained in the response.

Sanitizing to prevent XSS is about sanitizing input, not so much the output, which is what you're thinking of doing with <c:out userid> in the middle of the hard-coded URL.

For example, if you have userId = "rlaxmi" then that URL becomes this:

There is no security benefit in escaping or encoding the output there if you have full control of what the value of that parameter is when you craft the URL. All you'd be doing is Security by obscurity which is nothing, essentially.

What you need to do is prevent malicious attackers from taking that URL (the attack surface) and replacing the value of the userId parameter to something that, if used raw and unsanitized, can be used to exploit a vulnerability in your code. It's the data that is coming in that you want to sanitize, not so much the values that you're displaying because at that point, it might already be too late.

Search for articles that explain the anatomy of a XSS attack to get a better understanding of exactly what it is you're trying to prevent. Make sure you understand what you're doing, don't just take whatever instructions you're given verbatim and blindly do things without understanding the underlying mechanisms and issues you're trying to address.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Thanks Lacar, could you please let me know what is the best way sanitize the input value before it is displayed/rendered in the browser as the <c:out? added here is not having any impact here and based on the testimng still we are seeing XSS popup from being displayed when we pass request value like below,

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}'/>">Customer Data</a>

Testing is done through this by passing the below value for user Id which is not preventing the XSS and displaying the alert message with 123, this is even after adding the <c:out> as above.

/xxx/test/customerData.jsp?userId=%22whscheck=%22whscheck%22onmouseover=%22alert(123)%22&userId=-4658372095924766409&login=success&_requestid=3980

I want to handle this through the JSTL tag at client side , please let me know is there any other option to handle XSS attacks by encoding the userId input value that is getting passed to the anchor tag?

Thanks in advance.

 
Dave Tolls
Rancher
Posts: 4801
50
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
No, you want to handle this by sanitising your data as it comes into your application.

You have received a userId from the client, surely you can validate that before doing anymore processing?
That string of stuff should never get as far as the JSP page.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks. I want to handle this from client side/JSP. I was going through the below URL , there it is mentioned to use the <c:out> for sanitization.

https://hdivsecurity.com/owasp-xss

Why <c:out> is not working here as mentioned in the above link, not getting how we can sanitise the input data (userId) here to prevent XSS attacks?

Other option is using =${fn:escapeXml(userId)}

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId==${fn:escapeXml(userId)}/>">Customer Data</a>

any other option we have to ensure the input is encoded and not susceptible to XSS attacks fro JSP. Please provide your expert opinion and let me know where i am going wrong.

 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Hi Team,

Any update on this issue is highly appreciated. Thanks in advance.
 
Sheriff
Posts: 26963
84
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator

Rithanya Laxmi wrote:Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks.



It seems like you didn't understand what Dave posted. He said you should sanitize the input when it comes in. You persist in asking how to sanitize it in a JSP, which is a tool to output data. So that's the wrong question to ask and you should stop asking it. Instead you should be working on sanitizing the input when you receive it.
 
Rithanya Laxmi
Ranch Hand
Posts: 255
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Thanks Paul, in that case the input sanitization should be done at the server side in java code than in JSP? if that is the case why in the below links it is mentioned to use <c:out> and <fn:escapeXml> for HTML sanitization in JSP ?

https://hdivsecurity.com/owasp-xss
https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application
 
Paul Clapham
Sheriff
Posts: 26963
84
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Report post to moderator
Somehow two threads seem to have converged on a duplicate discussion. Let's put all of the future discussion into the other one: https://coderanch.com/t/722265/java/XSS-attacks-anchor-tag

I'll close this one.
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic