Rithanya Laxmi

But throwing an error message is not a part of the requirement for this direct URL invocation, which you mentioned is correct , but this is an interim solution we are looking at hence the idea is to replace the special characters in the accountName passed and adjust it to make it valid as you pointed out and that is the requirement for this functionality. Please let me know reload of the page makes a difference here?

This URL is getting invoked by the security team for testing by passing the special characters to check the code prevents XSS attacks, so this URL is invoked directly which in any case wont happen in a real time scenario , but here since the security team has reported the issue by directly invoking the URL we need to replace these spl char with space

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%.

For that only i am using the below

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please let me know this reload is still needed here?

Thanks,Page reload (redirect) is needed for the base URL to get updated without spl characters if there is one when it is invoked initially? Without page reload whether the URL will get updated without spl characters?


Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below ,

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

are you telling without page reload also it is fine, there is no need to reaload/redirect the page with the updated request param . For example the below will replace the special char in accountName input passed to the page

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>

and this accountName will be passed to the other links in the same page. Thats it there is no need to redirect the page to the same accountDisplay.jsp with the accountName displayed without spl characters so  it is not susceptible to XSS? it will be like,

<c:set var="accountName" value="${fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(fn:replace(lmsRequest,'=',''),'"',''),'%', ''),'&',''),'(',''),')','')}"/>
Redirect to -> <Redirect:XXX name="url" value="/test/xxx/accountDisplay?accountName=${accountName}" />

Please clarify here the reload is not needed and why?

Thanks, but when we are replacing the spl characters with replace it should reload the page  to ensure the URL is updated accordingly with no special characters like below. For that atleast i need to do a conditional check with fn:contains right? else how i can reload the page if there are special char in the request param (accountName)? please clarify.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

Yes right we need to replace the special characters in the input with space and i need to do it only when the input is having the special characters , if not leave it as it is , else replace with space and reload the page to ensure URL is updated with input which doesn't contains these special characters.

Initial URL with special char,

https://test.xxx.com/accountDisplay.jsp?accountName=%test"test1(=%

After replacing the special char and page reload, it should be displayed like below

https://test.xxx.com/accountDisplay.jsp?accountName=testtest1

This is what i am looking at.

Thanks

we need to check the passed input accountName is having any of these special characters?

& ( ) % " =

if it is there , replace these characters with space.

Hi Team,

How to verify the string value accountName contains of any of the below special characters using fn:contains JSTL function.

& ( ) % " =

If any of these characters are available in accountName then we need to use the fn:replace to replace the special character with space. Please let know how we can evaluate multiple fn:contains to check multiple special characters in JSP.

Thanks in advance

Thanks Dave. if the c:out tag escapes XML still the script value passed will be displayed? i see in the below link they mentioned the script will be displayed but wont be executed so the user input is safe ?

https://security.stackexchange.com/questions/115395/how-to-prevent-reflected-xss-with-the-java-struts-framework

Not sure what is the meaning of it wont be executed and safe as still the alert is displayed? please explain. In that case how we cam consider C:OUT tag to prevent XSS attacks?

Hi,


I have the  ${username} variable is replaced by the content of the username parameter in a request (typical reflected XSS).

So the request www.yoursite.com/somepage?username=<script>alert('XSS');</script>

would indeed prove the effectiveness of the XSS, with an alert box popping as a proof of concept.

If we replace the code with the following :

<p>Hello, dear <c:out value="${username}" /></p>

, the <script>alert('XSS');</script> is still be displayed on the page ? in that case it is still executed and there fore making it again unsafe and susceptible to XSS attacks?

Could you please highlight how the JSTL c:out tag will make sense in handling the XSS issues if the Javascript alert passed in the username input is still getting displayed.

Thanks in advance.

Thanks Paul, in that case the input sanitization should be done at the server side in java code than in JSP? if that is the case why in the below links it is mentioned to use <c:out> and <fn:escapeXml> for HTML sanitization in JSP ?

https://hdivsecurity.com/owasp-xss
https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application

Hi Team

How i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks. I want to handle this from client side/JSP. I was going through the below URL , there it is mentioned to use the <c:out> for sanitization.

https://hdivsecurity.com/owasp-xss

Why <c:out> is not working here as mentioned in the above link, not getting how we can sanitise the input data (userId) here to prevent XSS attacks?

Other option is using =${fn:escapeXml(userId)}

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId==${fn:escapeXml(userId)}/>">Customer Data</a>

any other option we have to ensure the input is encoded and not susceptible to XSS attacks fro JSP. Please provide your expert opinion and let me know where i am going wrong.

Hi Team,

Any update on this issue is highly appreciated. Thanks in advance.

Thanks Dave, but how i can do the sanitizing the input data in JSP , already i am using the <c:out> as mentioned in the below link to prevent XSS attacks. I want to handle this from client side/JSP. I was going through the below URL , there it is mentioned to use the <c:out> for sanitization.

https://hdivsecurity.com/owasp-xss

Why <c:out> is not working here as mentioned in the above link, not getting how we can sanitise the input data (userId) here to prevent XSS attacks?

Other option is using =${fn:escapeXml(userId)}

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId==${fn:escapeXml(userId)}/>">Customer Data</a>

any other option we have to ensure the input is encoded and not susceptible to XSS attacks fro JSP. Please provide your expert opinion and let me know where i am going wrong.

Thanks Lacar, could you please let me know what is the best way sanitize the input value before it is displayed/rendered in the browser as the <c:out? added here is not having any impact here and based on the testimng still we are seeing XSS popup from being displayed when we pass request value like below,

<a id="customerData" class="btn-link" href="/xxx/test/customerData.jsp?userId=<c:out value= '${userId}'/>">Customer Data</a>

Testing is done through this by passing the below value for user Id which is not preventing the XSS and displaying the alert message with 123, this is even after adding the <c:out> as above.

/xxx/test/customerData.jsp?userId=%22whscheck=%22whscheck%22onmouseover=%22alert(123)%22&userId=-4658372095924766409&login=success&_requestid=3980

I want to handle this through the JSTL tag at client side , please let me know is there any other option to handle XSS attacks by encoding the userId input value that is getting passed to the anchor tag?

Thanks in advance.