views:

219

answers:

2

Hello! Is it true that following code adds a XSS vulnerability to some JSP page?

<!--    <%=paramName%>=<%=request.getParameter(paramName)%><BR>  -->

It looks like a "leftover debug" and definitely should be removed from the code, but how dangerous is it?

+5  A: 

Yes, what you are looking at is a reflective XSS attack. This is dangerous because it allows an attacker to hijack an authenticated session. If you have this code running on your system, an attacker will be able to access other peoples accounts without needing to know their username/password.

XSS vulnerabilities can also be used to bypass CSRF protection. This is because XSS allows the attacker to read the value of a CSRF token using XmlHTTPRequest. XSS can also be used to fool referer checks.

Here is simple way to manually test for xss, here i am breaking out of the HTML comment to execute javascript.

http://localhost/xss_vuln.jsp?paramName='--&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;!--' 

This is a free xss scanner, you should test all applications that you write.

Rook
Bear in mind that most, if not all, xss scanners find only the simplest classes of XSS vulnerabilities and use only a very limited set of attack vectors. Understand the problem better to fix you code. See http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet for some simple rules.
Cheekysoft
@Cheekysoft very true, but its also likely that an attacker is using the same simple tests against your application. Nothing is 100%, and that is yet another advantage the attacker has.
Rook
+1  A: 

The JSP parser handles HTML comments as template text. It doesn't ignore its contents. The HTML comments are only ignored by HTML parsers/interpreters (webbrowsers!). You should use JSP comments instead to prevent the JSP parser from processing the particular piece of code.

<%--    <%=paramName%>=<%=request.getParameter(paramName)%><BR>  --%>

Note the <%-- --%> style as opposed to <!-- --> HTML comment style. The JSP parser won't parse them, but it removes them from the output. Thus you won't see them in the generated HTML output.

The XSS risk is here because you're not escaping user-controlled input here. Request parameters are fully controllable by endsers. The enduser may for instance pass --><script>alert('xss')</script><!-- as parameter value and it would get executed. This puts the doors wide open for XSS and CSRF attacks. The malicious script may for example send all cookies by an ajax request to a malicious server. The attacker can then just copy the cookie value to be able to be logged in as yourself.

You should use JSTL c:out tag or fn:escapeXml function to escape user-controlled input. I've answered this in detail several times before, under each here. More explanation about CSRF can be found in my answer here.

BalusC