Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Need urgent help related to Cross Site Scripting problem
Posted by: jdev99
Date: November 02, 2011 04:59AM

Hi Friends,

I have developed a secure Web Application. During testing we found an issue related to XSS. The description of problem is as follow:

My URL is as follows and in URL if I enter Java Script alert then Popup appears. I want resolve this vulnerability. My URL is as follows:

https://localhost:8443/myapp/LoginServlet?form=login&event=ok'%2balert(1234)%2b'&value=comein

On hitting above URL I am calling Java Script function and passing value of parameter event in that function to forward the request. The function checks the value and forward the request to concerned Servelt.

Problem is due to XSS Issue, I am getting Java Script alert "1234" on hitting above URL.

I am passing encoded value to Java Script function but still alert displays. My code of calling function is as follows:

<body id="wide1000px"
onload="<%if (request.getParameter("event") != null) {
%>forwarRequest('<%=myapp.com.XSSEncoder.filter(request.getParameter("event"))%>');
<%} else {
%>changeValue('<%=switch%>');
<%} %>
>

In the above code "filter" is the function that converts all the HTML sensitive characters to escape sequence.

Instead of above encoding, i had also tried ESAPI encoding but nothing works.

I would appreciate immediate help on this.

Thanks in advance.



Edited 1 time(s). Last edit at 11/02/2011 05:03AM by jdev99.

Options: ReplyQuote
Re: Need urgent help related to Cross Site Scripting problem
Posted by: Gareth Heyes
Date: November 02, 2011 05:24AM

The problem is probably the context you are in. Entity encoding won't work inside an event because it's decoded automatically. For example &#39; becomes ' and so on. Your best bet is to unicode/hex escape the value.

[hackvertor.co.uk]

I think ESAPI has a javascript context that should do this for you.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Need urgent help related to Cross Site Scripting problem
Posted by: jdev99
Date: November 02, 2011 05:26AM

Thanks for your information Gareth :-)

I will try as suggested and let you know.

Options: ReplyQuote
Re: Need urgent help related to Cross Site Scripting problem
Posted by: jdev99
Date: November 03, 2011 06:20AM

Single quote caused the problem after replacing single quote with double quote problem got resolved, please see corrected code as follows:


<body id="wide1000px"
onload='<%if (request.getParameter("event") != null) {
%>forwarRequest("<%=myapp.com.XSSEncoder.filter(request.getParameter("event"))%>");
<%} else {
%>changeValue('<%=switch%>');
<%} %>
>'


Thanks.....

Options: ReplyQuote
Re: Need urgent help related to Cross Site Scripting problem
Posted by: Gareth Heyes
Date: November 03, 2011 08:50AM

So what about if you do:
&#39;,alert(1),&#39;
or
&apos;,alert(1),&apos;

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote


Sorry, only registered users may post in this forum.