WebApp Sec mailing list archives
Re: Potential XSS errors when using information from HTTP requests
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Sun, 17 Oct 2004 21:36:36 -0400
Wide open redirectors should be avoided. We see these frequently in applications that redirect to error pages, login pages, and other parts of the application. An attacker can use these to redirect a user's browser to anywhere without validation. So they're just asking to be abused by pfishers. Gives the pfisher a bit of credibility since the real application did the redirecting. If you're redirecting, make sure you 1) validate the targets carefully, and 2) remember that the redirect goes through the user's browser and can be changed. Don't trust anything from an HTTP request, even if it came from a redirect. --Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: "V.Benjamin Livshits" <livshits () cs stanford edu> To: <webappsec () securityfocus com> Sent: Saturday, October 16, 2004 5:27 PM Subject: Potential XSS errors when using information from HTTP requests
I've been seeing a lot of redirects like the ones below in J2EE programs. 1. response.sendRedirect(request.getParameter("REFERRER")); 2. response.sendRedirect(request.getRequestURI()); 3. response.sendRedirect(request.getServletPath() + toPath); Since the URL the user is being redirected to comes from the HTTP header, I was wondering if forging parts of the header may lead to a cross-site scripting exploit of some sort. Clearly, it would be dangerous to use this data as part of SQL statements. However, I have trouble imagining XSS exploit scenarios. Thanks, -Ben
Current thread:
- Potential XSS errors when using information from HTTP requests V.Benjamin Livshits (Oct 17)
- Re: Potential XSS errors when using information from HTTP requests Amit Klein (AKsecurity) (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Tibor Veres (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Paul Johnston (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Jeff Williams (Oct 18)
- <Possible follow-ups>
- RE: Potential XSS errors when using information from HTTP requests Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Oct 18)