WebApp Sec mailing list archives
RE: Potential XSS errors when using information from HTTP requests
From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Mon, 18 Oct 2004 10:12:41 -0400
I can see a potential XSS issue in the first option, since Java contains a design issue allowing you to obtain information sent though GET or POST (and as far I can see HTTP headers) using the same sentence and with no form to change this behaviour(I mean calling request.getParameter). In the event you enter a URL field and a Form field with the same name and sent them to the server the URL field will take precedence and thus be taken by request.getParameter. Therefore, adding a REFERER parameter to an URL (probably?) will take precedence over HTTP header as well. A little more research will confirm or discart this issue using an HTTP header. Best Regards, -Juan Carlos Calderon -----Original Message----- From: V.Benjamin Livshits [mailto:livshits () cs stanford edu] Sent: Sábado, 16 de Octubre de 2004 04:27 p.m. To: webappsec () securityfocus com Subject: Potential XSS errors when using information from HTTP requests I've been seeing a lot of redirects like the ones below in J2EE programs. 1. response.sendRedirect(request.getParameter("REFERRER")); 2. response.sendRedirect(request.getRequestURI()); 3. response.sendRedirect(request.getServletPath() + toPath); Since the URL the user is being redirected to comes from the HTTP header, I was wondering if forging parts of the header may lead to a cross-site scripting exploit of some sort. Clearly, it would be dangerous to use this data as part of SQL statements. However, I have trouble imagining XSS exploit scenarios. Thanks, -Ben
Current thread:
- Potential XSS errors when using information from HTTP requests V.Benjamin Livshits (Oct 17)
- Re: Potential XSS errors when using information from HTTP requests Amit Klein (AKsecurity) (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Tibor Veres (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Paul Johnston (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Jeff Williams (Oct 18)
- <Possible follow-ups>
- RE: Potential XSS errors when using information from HTTP requests Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Oct 18)