当前位置: 动力学知识库 > 问答 > 编程问答 >

jsp - XSS HTTP parameter pollution and getQueryString()

问题描述:

I'm dealing with xss issues and found a problem I don't know how to solve it.

I've a report from Acunetx saying:

Details

POST (multipart) input query was set to idMenu=14&n907758=v929899

Parameter precedence: first occurrence

Affected link:

/MYAPP/jspfs/plantilla.jsp?idMenu=14&n907758=v929899&int1=-1&accion1=edit

Affected parameter: idMenu=14

In my jsp I've something like this:

 <input type="hidden" name="query" value="<%=StringEscapeUtils.escapeHtml4(request.getQueryString())%>" />

<script>

$(document).ready(function () {

function send() {

<%

query = IncFuncionesPlx.cambiaAxB(query, "idioma", "");

query = IncFuncionesPlx.cambiaAxB(query, "grupo", "");

%>

location.href="<%=IncVariablesPlx.getParameter("ruta0") + "jspfs/plantillasTickets/plantillasTickets.jsp"%><%=query%>&idMenu=<%=idMenu%>&idioma="+valIdioma+"&grupo="+valGrupo;

}

</script>/>

So, the getQueryString() method used to mount the url is getting the value idMenu=14&n907758=v929899&int1=-1&accion1=edit which is interpreted as a new param n907758.

NOTE: To solve other xss issues, I'm using a filter where I canonize the request values, but in this case I've no clue how to distinguish the proper params of the injected one.

Any ideas to solve this?

网友答案:

I've solve the Acunetix attack with this changues in the code. Hope it can help someone to deal with this kind of problems.

        <%-- the imput query has been deleted --%>
        <script>
          $(document).ready(function () {                    

            function send() {

                <%
                    query = StringEscapeUtils.escapeHtml4(request.getQueryString());
                    query = IncFuncionesPlx.cambiaAxB(query, "idioma", "");
                    query = IncFuncionesPlx.cambiaAxB(query, "grupo", "");
                %>
                location.href="<%=IncVariablesPlx.getParameter("ruta0") + "jspfs/plantillasTickets/plantillasTickets.jsp" + query%>&idMenu=<%=idMenu%>&idioma="+valIdioma+"&grupo="+valGrupo;
            }
        </script>/>
分享给朋友:
您可能感兴趣的文章:
随机阅读: