A3:2021 | Cross Site Scripting Mitigation (5) | Cycubix Docs
Reflective XSS
See the HTML file below, which passes data to a JSP file.
Here is the JSP file:
As you can see the JSP file prints unfiltered user input which is never a good idea. You want people to access the page like this:
But what happens if someone uses this link:
It is your turn!
Try to prevent this kind of XSS by escaping the URL parameters in the JSP file:
Solution
Hint: You do not store the user input in this example. Try to encode the user's input right before you place it into the HTML document. We need to make use of JavaServer Pages Standard Tag Library (JSTL) and JSP Expression Language.
We can also take a look at OWASP Java Encoder Project. One additional hint mentions that we should not forget to reference the tag libs and choose "e" as prefix.
So we know we will be using OWASP Java Encoder Porject to mitigate XSS vulnerabilities. We will declare the use of a tag library with taglib in the JSP file.
A table tag will create a table to display the form of data.
Tr Tags will define rows within the table. Td tags will define cells within each road.
Parameters
first_name
andlast_name
from the request, will encode them using the OWASP Java Encoder, and then displays them in a table.Here is the code:
Last updated