How to Fix XSS on hidden fields - jsp

There is XSS vulnerability in one of the JSP file, where we have used hidden fields. Thus following hidden fields are vulnerable to xss:
<input type="hidden" name="input1" value="<%=dummyInputValue%>"/>
<input type="hidden" name="input2" value="<%=dummyInputValue1%>"/>
where dummyInputValue comes from request object..something like below request.getParameter("dummyInputValue")
I am not sure how to fix this fields to avoid xss vulnerability. Kindly help me on this.
By accessing the following URL (example):
http://localhost:7001/app1/PeopleSearch.jsp?input1=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e&input2=dummyValue1
Triggering the XSS requires alt+shift+x (windows) or ctrl+alt+x (max).

I fixed the issue, after reading the comment given by Jozef. XSS is prevented in JSP by using JSTL tag. That is by changing the code as below
<%# taglib uri = "http://java.sun.com/jsp/jstl/core" prefix = "c" %>
<input type="hidden" name="input1" value="<c:out value="${dummyInputValue}"/>"/>

Related

How to defend against stored XSS inside a JSP attribute value in a form

Question How to defend against stored XSS inside a JSP attribute value in a form?
The initial code is like
<form ..>
<input value="<c:out value="${name}"/>" type="text" />
</form>
Using c:out :
<input value="<c:out value="${name}"/>" type="text" />
or esapi:encodeForHTMLAttribute?
<%# taglib prefix="esapi" uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API" %>
<input value="<esapi:encodeForHTMLAttribute>${name}</esapi:encodeForHTMLAttribute>" type="text" />
My first thought From what I read, the esapi encoding is the safest way. I don't think c:out is safe enough when we are writing the value of an attribute. Based on the Owasp cheat sheet to prevent xss escaping should be done different depending on the context where the value is used - attribute value in this case. c:out only escapes for HTML sensitive characters, so only these characters: & < > " ' /.
An example of vulnerability: it is possible someone deletes by mistake the characters " or ' surrounding the attribute value. The page will still be valid HTML and working well. But if the value to be inserted in the attribute is something onclick=alert(1) then, because c:out will not escape anything, we will have the html <input value=something onclick=alert(1) ... which will execute javascript on click.
Thanks to #avgvstvs for confirming this approach. So the safe way to go is indeed encodeForHTMLAttribute

hidden input in JSP returns null in the Servlet

this is the form in my jsp:
<form id="withdrawFromAccountForm" action="${pageContext.request.contextPath}/ActionServlet" method="post" enctype="text/plain">
<input type="hidden" name="jspId" value="viewClientDetails" />
<input type="submit" class="submit" value="Enter" />
</form>
And this is the code in my servlet:
String whatJsp = request.getParameter("jspId");
if (whatJsp.equals("viewClientDetails"))
{
//code ..
}
when I hit the submit button in the JSP, the servlet goes to the if sentence that checks
if the jsp is "viewClientDetails" jsp with the hidden input, but that input gives null ...
Is anyone see where the problem is ?
Thanks.
The problem may be here:
<form ... enctype="text/plain">
^ here
From w3schools:
The enctype attribute specifies how the form-data should be encoded when submitting it to the server.
text/plain: Spaces are converted to "+" symbols, but no special characters are encoded
Probably your server doesn't recognize or cannot parse the attributes when using this enctype. Remove it or use the default value application/x-www-form-urlencoded for it.

How to transfer value from textbox of one jsp page to textbox of another jsp page?

i want to transfer value entered in one textbox of one jsp page to another textbox in another jsp page.
Please help me..
It's unclear how you're interacting between the two JSPs. I'll assume that you've a <form> in the first JSP which submits to the second JSP. In that case, all submitted values are available as request parameters the usual way. You can access request parameters by ${param} in EL.
So, this should do in first.jsp:
<form action="second.jsp">
<input type="text" name="foo" />
<input type="submit" />
</form>
It'll be available by ${param.foo} in second.jsp:
<%#taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<form ...>
<input type="text" name="bar" value="${fn:escapeXml(param.foo)}" />
...
</form>
(the fn:escapeXml() is mandatory to prevent XSS attack holes)
In plain JSP you can use JSP built-in request object to get field value.
Use:
<%=request.getParameter("FIELD_NAME_IN_SECOND_JSP");%>
If you are using Struts, you can first send the data to the server (e.g. struts value). Set any class property with this JSP field value and get this property value in the second JSP page using struts tag lib.

When I view Page Source of my aspx page in browser I see this

<form name="aspnetForm" method="post" action="/Web/Test.aspx" id="aspnetForm">
<div>
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY1NDU2MTA1Mg9kFgJmD2QWAmYQZGQWDAIBDw8WAh4ISW1hZ2VVcmwFKGh0dHA6Ly9sb2NhbGhvc3Qvcm9zL2ltYWdlcy9yb3NfbG9nby5qcGdkZAIFDw8WAh4EVGV4dAUFTG9naW5kZAIHDw8WAh8ABS1odHRwOi8vbG9jYWxob3N0L3Jvcy9pbWFnZXMvaWNvbnMvUk9TbG9nby5wbmdkZAIIDw9kFgIeBWNsYXNzBQVXb21lbmQCDg9kFgICAQ9kFgJmDw8WAh4IR29hbFR5cGUFBUZlbW1lZBYCZg9kFgJmD2QWAgIBDxYCHwIFBm1lblRhYhYCZg8WAh4LXyFJdGVtQ291bnQCBBYKZg9kFgICAQ8WAh4Hb25jbGljawWUAWphdmFzY3JpcHQ6ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2N0bDAwX0NvbnRlbnRQbGFjZUhvbGRlcjJfY3RsMDBfSG9tZUJhbm5lcl9ycHRnb2FsQmFubmVyX2N0bDAwX2FuY1dlbGNvbWUnKS5ocmVmPSdodHRwOi8vbG9jYWxob3N0L3Jvcy93ZWxjb21lLydkAgEPZBYEAgEPFgIfBQWmAWphdmFzY3JpcHQ6Z
...........
and this ViewState's value goes on and on and on..........
What on earth is this longggg value for ? How do I get rid of this ...dont want it appearing in my Page source..something is apparently wrong
There's nothing wrong.
The Viewstate is a special place where ASP.Net holds the values of all your ASP.Net controls so that the values will be remembered if the browser is refreshed or when you pass it along to other pages. You can also use it to store your own customer variables.
It slows down things a bit, and many have reported good results by disabling viewstate.
I program in ASP.Net MVC which doesn't use the viewstate and I also don't use Session to maximise the performance. Let me warn you though, that's a difficult way to live.
This msdn article on viewstate will give you some more information about viewstate :
You can disable viewstate on the page level by setting the EnableViewState attribute to false.
<%# Page EnableViewState="False" ... %>
You should make sure you don't actually need viewstate - many of the ASP.NET server controls maintain their internal state using information stored in the viewstate.
Check this out for an article with more detailed info.

access hidden field value into another jsp file

i've a hidden field value
<input type="hidden" id= "i1" name="h1" value="Request Recieved"/ >
i need the value to be read in another jsp file whose reference is mentioned in the current file.
i'm using out.println(request.getParameter("h1")); but its printing null..
This will only work when you navigate to another JSP by a <form> which has this field embedded.
E.g. page1.jsp:
<form action="page2.jsp">
<input type="hidden" name="foo" value="bar">
<input type="submit">
</form>
And page2.jsp:
<p>Hidden value: ${param.foo}</p>
That's all. It won't work when you navigate by a link <a> or submit another form where the hidden field is not included.
(the ${param.foo} does effectively the same as out.print(request.getParameter("foo")), only in a less vintage and ugly manner. See also How to avoid Java code in JSP)

Resources