Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Junilu Lacar
  • Martin Vashko
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Scott Selikoff
  • salvin francis
  • Piet Souris

JSTL c:out in Anchor tag

 
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Hi,


How to use the JSLT c:out tag value inside the ANCHOR tab (a href)? i have the below a href,


<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

Here instead of using the JSP expression i need to use <c:out> to prevent XSS attacks , please let me know the below is fine ?

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>

If not what is the best way to prevent the XSS attacks from here in the above a href tag. Please clarify.

Thanks


 
Marshal
Posts: 67313
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Report post to moderator
I din't see any problems with it. Did it work when you tried it?
 
Saloon Keeper
Posts: 2806
368
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Report post to moderator
Where is the XSS vulnerability in your example?  Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?
 
Master Rancher
Posts: 4371
47
  • Mark post as helpful
  • send pies
  • Report post to moderator
Aren't those effectively the same thing?
You're just setting the value to whatever userId is.
As Ron says, that's not going to have any effect on XSS, if userId is unsafe.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Hi Team,

It is being reported by the security team the below URL where we are passing the userId is susceptible to XSS attacks, so they were asking to escape or HTML encode it .

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=${userId}">Customer Data</a></p>

I read that using c:out or fn:escapeXml we can make sure the value passed is safe and not susceptible to XSS security attacks.

To answer the below query,

Is the value of ${userId} untrustworthy and needs to be sanitized/escaped before being sent to the client/browser?

Yes, for this value only i am thinking of using <c:out value> -

<p><a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}' ">Customer Data</a></p>  

Please let me know this is the right way to sanitized/escaped before send to browser?

Thanks in advance.
 
Marshal
Posts: 14530
242
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Report post to moderator
I think you've got it backwards. You're talking about information you have (the userId) that you're putting into the URL that is contained in the response.

Sanitizing to prevent XSS is about sanitizing input, not so much the output, which is what you're thinking of doing with <c:out userid> in the middle of the hard-coded URL.

For example, if you have userId = "rlaxmi" then that URL becomes this:

There is no security benefit in escaping or encoding the output there if you have full control of what the value of that parameter is when you craft the URL. All you'd be doing is Security by obscurity which is nothing, essentially.

What you need to do is prevent malicious attackers from taking that URL (the attack surface) and replacing the value of the userId parameter to something that, if used raw and unsanitized, can be used to exploit a vulnerability in your code. It's the data that is coming in that you want to sanitize, not so much the values that you're displaying because at that point, it might already be too late.

Search for articles that explain the anatomy of a XSS attack to get a better understanding of exactly what it is you're trying to prevent. Make sure you understand what you're doing, don't just take whatever instructions you're given verbatim and blindly do things without understanding the underlying mechanisms and issues you're trying to address.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Thanks Lacar, could you please let me know what is the best way sanitize the input value before it is displayed/rendered in the browser as the <c:out? added here is not having any impact here and based on the testimng still we are seeing XSS popup from being displayed when we pass request value like below,

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}'/>">Customer Data</a>

Testing is done through this by passing the below value for user Id which is not preventing the XSS and displaying the alert message with 123, this is even after adding the <c:out> as above.

/xxx/test/customerData.jsp?userId=%22whscheck=%22whscheck%22onmouseover=%22alert(123)%22&userId=-4658372095924766409&login=success&_requestid=3980

I want to handle this through the JSTL tag at client side , please let me know is there any other option to handle XSS attacks by encoding the userId input value that is getting passed to the anchor tag?

Thanks in advance.

 
Dave Tolls
Master Rancher
Posts: 4371
47
  • Mark post as helpful
  • send pies
  • Report post to moderator
No, you want to handle this by sanitising your data as it comes into your application.

You have received a userId from the client, surely you can validate that before doing anymore processing?
That string of stuff should never get as far as the JSP page.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks. I want to handle this from client side/JSP. I was going through the below URL , there it is mentioned to use the <c:out> for sanitization.

https://hdivsecurity.com/owasp-xss

Why <c:out> is not working here as mentioned in the above link, not getting how we can sanitise the input data (userId) here to prevent XSS attacks?

Other option is using =${fn:escapeXml(userId)}

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId==${fn:escapeXml(userId)}/>">Customer Data</a>

any other option we have to ensure the input is encoded and not susceptible to XSS attacks fro JSP. Please provide your expert opinion and let me know where i am going wrong.

 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Hi Team,

Any update on this issue is highly appreciated. Thanks in advance.
 
Sheriff
Posts: 24761
59
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Report post to moderator

Rithanya Laxmi wrote:Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks.



It seems like you didn't understand what Dave posted. He said you should sanitize the input when it comes in. You persist in asking how to sanitize it in a JSP, which is a tool to output data. So that's the wrong question to ask and you should stop asking it. Instead you should be working on sanitizing the input when you receive it.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Report post to moderator
Thanks Paul, in that case the input sanitization should be done at the server side in java code than in JSP? if that is the case why in the below links it is mentioned to use <c:out> and <fn:escapeXml> for HTML sanitization in JSP ?

https://hdivsecurity.com/owasp-xss
https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application
 
Paul Clapham
Sheriff
Posts: 24761
59
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Report post to moderator
Somehow two threads seem to have converged on a duplicate discussion. Let's put all of the future discussion into the other one: https://coderanch.com/t/722265/java/XSS-attacks-anchor-tag

I'll close this one.
 
Paper beats rock. Scissors beats tiny ad.
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!