Rithanya Laxmi

Hi Experts,

Any update to handle this

Thanks Tim, rather than making these changes from Java code, whether there is a way to detect the SameSite Cookie flags (chrome://flags – 3 of them which are enabled by default in Chrome version 80) set in the user Chrome browser version 80 to see it is enabled through Java script/Java ?  and if  these flags are “enabled” “disable” the flags through the javascript/java. Any API to detect these SameSite cookie flags which are internal to Chrome version 80 browser TO HANDLE THIS OPERATION?

Hi,

We are using Servlet Cookie API to set the Cookie , i want to support the SameSite Cookie for Chrome browser version 80, Servlet Cookie API doesn't support SameSite and Secure attributes. Is there a possibility to create a Custom Cookie to set the SameSite attribute in java/servlet code ? If so there are any examples available ? Please let know how we can set the SameSite attribute in Java servlet code?

Cookie cookie = ServletUtil.createCookie(“Cookie Name”);
           cookie.setDomain(“test);
           cookie.setMaxAge(60 * 60 * 24 * 60);
           cookie.setPath("/");
           pResponse.addCookie(cookie);



Thanks

But throwing an error message is not a part of the requirement for this direct URL invocation, which you mentioned is correct , but this is an interim solution we are looking at hence the idea is to replace the special characters in the accountName passed and adjust it to make it valid as you pointed out and that is the requirement for this functionality. Please let me know reload of the page makes a difference here?

This URL is getting invoked by the security team for testing by passing the special characters to check the code prevents XSS attacks, so this URL is invoked directly which in any case wont happen in a real time scenario , but here since the security team has reported the issue by directly invoking the URL we need to replace these spl char with space

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%.

For that only i am using the below

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please let me know this reload is still needed here?

Thanks,Page reload (redirect) is needed for the base URL to get updated without spl characters if there is one when it is invoked initially? Without page reload whether the URL will get updated without spl characters?


Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below ,

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

are you telling without page reload also it is fine, there is no need to reaload/redirect the page with the updated request param . For example the below will replace the special char in accountName input passed to the page

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>

and this accountName will be passed to the other links in the same page. Thats it there is no need to redirect the page to the same accountDisplay.jsp with the accountName displayed without spl characters so  it is not susceptible to XSS? it will be like,

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please clarify here the reload is not needed and why?

Thanks, but when we are replacing the spl characters with replace it should reload the page  to ensure the URL is updated accordingly with no special characters like below. For that atleast i need to do a conditional check with fn:contains right? else how i can reload the page if there are special char in the request param (accountName)? please clarify.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

Yes right we need to replace the special characters in the input with space and i need to do it only when the input is having the special characters , if not leave it as it is , else replace with space and reload the page to ensure URL is updated with input which doesn't contains these special characters.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

This is what i am looking at.

Thanks

we need to check the passed input accountName is having any of these special characters?

& ( ) % " =

if it is there , replace these characters with space.

Hi Team,

How to verify the string value accountName contains of any of the below special characters using fn:contains JSTL function.

& ( ) % " =

If any of these characters are available in accountName then we need to use the fn:replace to replace the special character with space. Please let know how we can evaluate multiple fn:contains to check multiple special characters in JSP.

Thanks in advance

Thanks Dave. if the c:out tag escapes XML still the script value passed will be displayed? i see in the below link they mentioned the script will be displayed but wont be executed so the user input is safe ?

https://security.stackexchange.com/questions/115395/how-to-prevent-reflected-xss-with-the-java-struts-framework

Not sure what is the meaning of it wont be executed and safe as still the alert is displayed? please explain. In that case how we cam consider C:OUT tag to prevent XSS attacks?

Hi,


I have the  ${username} variable is replaced by the content of the username parameter in a request (typical reflected XSS).

So the request www.yoursite.com/somepage?username=<script>alert('XSS');</script>

would indeed prove the effectiveness of the XSS, with an alert box popping as a proof of concept.

If we replace the code with the following :

<p>Hello, dear <c:out value="${username}" /></p>

, the <script>alert('XSS');</script> is still be displayed on the page ? in that case it is still executed and there fore making it again unsafe and susceptible to XSS attacks?

Could you please highlight how the JSTL c:out tag will make sense in handling the XSS issues if the Javascript alert passed in the username input is still getting displayed.

Thanks in advance.

Thanks Paul, in that case the input sanitization should be done at the server side in java code than in JSP? if that is the case why in the below links it is mentioned to use <c:out> and <fn:escapeXml> for HTML sanitization in JSP ?

https://hdivsecurity.com/owasp-xss
https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application