Dynamic variable in Spring expression
Bug Pattern: JSP_SPRING_EVAL
A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
Vulnerable Code:
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %><spring:eval expression="${param.lang}" var="lang" />
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %><spring:eval expression="'${param.lang}'=='fr'" var="languageIsFrench" />
Solution:
<c:set var="lang" value="${param.lang}"/>
<c:set var="languageIsFrench" value="${param.lang == 'fr'}"/>
References
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
Escaping of special XML characters is disabled
Bug Pattern: JSP_JSTL_OUT
A potential XSS was found. It could be used to execute unwanted JavaScript in a client’s browser. (See references)
Vulnerable Code:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><c:out value="${param.test_param}" escapeXml="false"/>
Solution:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %><c:out value="${param.test_param}"/>
References
WASC-8: Cross Site Scripting
OWASP: XSS Prevention Cheat Sheet
OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
JSTL Javadoc: Out tag
若有收获,就点个赞吧
0 人点赞
