java - ESAPI for XSS prevention not working -


i working on fixing cross site scripting issues in our code in jsps.

below original code

 //scriplet code     <% string userid = request.getparameter("sid");      ...%>

and in same jsp have

     <input type = hidden name = "userid" value = "<%= userid %>" />

i have made changes include esapi-2.1.0.jar in lib , esapi.properties, validation.properties in classpath. made below changes scriplet code fix above code

      //scriplet code     <% string userid = esapi.encoder().encodeforhtml(request.getparameter("sid"));      ...%>

i thought fix issue when scan code using fortify, these lines again highlighted having xss issue. please if guys have idea on how should handled. thanks.

------- update

thanks lot @avgvstvs. insightful.follwd guidelines, not sure if missng somethn. code -

          string              usersid=esapi.encoder().encodeforhtmlattribute(request.getheader("janus_sid")); session.setattribute("username",usersid);<input type=hidden name="username" value="<%= usersid %>"

and varibale debug, below usage 

       string debugflag =  esapi.encoder().encodeforjavascript(request.getparameter("debug"));var debugflag = "<%= debugflag%>";if(debugflag == "y"){                document.title=   title + " (" + host + ")";         defaultapptitle = title + " (" + host +  ")";                }

latest fortify scan still lists them vulnerabilities :-(

the first question need ask should "what code interpreters handing value off to?"

preventing xss unfortunately isn't recipe-based task, , looks of it--your application using scriptlets, aside being bad java practice, makes more difficult static code-scanning tools fortify give accurate results. jsps compiled @ runtime, fortify scans source only. should note there should future tasks/stories filed refactor scriptlets jstl--you'll thank me later. can use esapi taglibs these use cases. fortify okay job of scanning pure java code, , taglibs give that.

  1. esapi.encoder().encodeforhtml(userid) going protect xss in use case variable in question going placed between tags, <span><%= userid %></span> isn't case have.

  2. esapi.encoder().encodeforhtmlattribute(userid) want in particular, narrow use-case. because escaping rules different in html attributes data placed within tags. should fix immediate problem.

  3. if value going used exclusively javascript, want esapi.encoder().encodeforjavascript(userid)

  4. if value going renderable html being sent javascript function render markup, element.innerhtml = “<html> tags , markup”; want <%=encoder.encodeforjs(encoder.encodeforhtml(userid))%>

this few examples, here few more--but overriding gist of answer this: need know complete flow of data every variable in application , always encode appropriate output context. , in security world, "context" means "data being handed off new code interpreter." if implement understanding well, won't need fortify anymore! :-)

====added complexity====

in comment noted value later being used javascript. correct solution in case to fork 2 different variables, each 1 set proper encoding. html attribute case:

string escapedhtmluserid = esapi.encoder().encodeforhtmlattribute(userid);

for javascript case:

string escapedjsuserid = esapi.encoder().encodeforjavascript(userid);

then use values appropriately. if used jstl/taglibs, use right esapi taglib in right place instead of splitting 2 separate scriptlet variables.

===and 1 more thing===

from comment on op:

we have initial scriptlet declaration:

<% string userid = esapi.encoder().encodeforhtml(request.getparameter("sid")); ...%>

and used later in javascript function:

<%= esapi.encoder().encodeforjavascripl(userid)%>

just point out, presented, userid variable stops being raw text on initialization. effectively, encoding javascript becomes this:

 <% esapi.encoder().encodeforjavascript(esapi.encoder().encodeforhtml(request.getparameter("sid")));      ...%>

if javascript going rendering html using *.innerhtml() or *.outerhtml() fine. otherwise, note input has changed raw state.

also, watch fact javascript can undo you've done , ensure javascript isn't doing similar.

==========more added code, more questions========

so we've traced our data paths, we've double-checked our jsp in question isn't being included in different jsp introduces new contexts defend against, it's @ point i'd smell "false positive," if i'd contact hp support , raise issue false positive. don't know enough of specifics of application of more use here unless had access full source. because you're dealing scriptlets--its possible fortify can't trace full data path variable instantiation eventual output, failing fast can @ least warn found "so far."


Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more