Re: Feedback: WW-2414, XSS attack is possible if using and

Sun, 13 Jan 2008 16:28:19 -0800 

GF wrote:


I think that a good framework is a framework that helps the developer
to not create security issue in his applications.

  



I agree and Struts2 does that for the most part.  Almost every attribute 
of every tag in struts2 it HTML escaped.  However, the href attribute in 
particular can't (easily) be automatically HTML Escaped or URL encoded 
as it's valid for this attribute to contain blocks of javascript or 
vbscript.  This applies to s:a, s:div, s:submit and possibly other 
tags.  The developer needs to design-out such vulnerabilities as they 
would with any html tag at the source of the data.



When you use s:url with includeParams != none and place the result in an 
href, you're doing the equivalent of :


<a href="%<=request.requestURI()%>&param1=a">link</a>


When you set encode=true, I believe this is roughly equivalent to 
(excluding the logic around the ? and &):



<a 
href="%<=request.requestURI()+'&'+URLEncoder.encode('param1')+'='+URLEncoder.encode('a')%>link</a>



The specific issue here is that the requestURI may already contains 
unencoded characters, so perhaps the s:url tag should URLEncode the 
entire EXISTING query string instead of just its additional parameters.


My main point though was that it's not a critical issue, it's just an issue.


Interestingly, encoding may not completely eliminate the vulnerability.
In IE6 <a href="javascript%3Aalert%28%27hello%27%29"> doesn't execute
the javascript, but also doesn't issue the request for a page of that name.

    


Please, can you give me a query string that also with encoding can
lead to XSS attack?
Thank you.


  



No, nothing leaps to my mind, but in the example above IE doesn't behave 
normally and that's a good starting point for potential exploits. If 
someone was clever enough to exploit that IE used to interpret 
<scr\nipt> as valid html (a line break in the middle of a tag name) they 
certainly would have investigated if there's any cases where, for 
example, javascript%3a is interpreted as javascript:.

PS: i'm sorry if my english is not very good.


  

Your English is excellent!



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to