tsaekao / verademo-java

The Veracode demo application. A simple Java Web App built using Spring MVC.
0 stars 0 forks source link

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) [VID:80:WEB-INF/views/profile.jsp:84] #51

Open github-actions[bot] opened 8 months ago

github-actions[bot] commented 8 months ago

https://github.com/tsaekao/verademo-java/blob/fbaf0f988376f5784b81e8e34bba1cf663edb179/WEB-INF/views/profile.jsp#L79-L89

Filename: WEB-INF/views/profile.jsp

Line: 84

CWE: 80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))

This call to javax.servlet.jsp.JspWriter.print() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis. The first argument to print() contains tainted data from the variable blabName. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. The tainted data is directed into an output stream returned by javax.servlet.jsp.JspWriter. Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers