[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] HTMLEncoding in textarea in java

From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] HTMLEncoding in textarea in java
Date: Tue, 9 Sep 2008 13:08:32 -0400
------_=_NextPart_001_01C9129E.B02BCAC4
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hrm. After looking at your email more closely I am only becoming more =
confused about your situation.
=20
0) I assume you weren't actually calling any encoding or mis-calling it =
because properly encoded data within textareas won't execute. For =
paranoia's sake, I just tested in FF2 + IE7.
1) Your code looks like JSP EL and your variable looks like a Struts =
ActionForm but you talk about "server.encodeHTML." The closest thing to =
this I know is .NET's Server.HtmlEncode() which does at least the big =
four (<>&"). What technologies are involved here?
2) Do a "View Source" on an injected page. What are you looking at? Are =
you sure the problem isn't in another part of the page?
=20
Arshan

________________________________

From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi@aspectsecurity.com]
Sent: Tue 9/9/2008 12:05 PM
To: mike ; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] HTMLEncoding in textarea in java


Mike,
=20
The output method you've chosen, JSP Expression Language (EL), does not =
encode output automatically. You need to either use another mechanism or =
encode the value of "userdata" in your action handler before control is =
forwarded to the JSP.
=20
Alternatives:
1) Scriptlet in combination with custom function for HTML-entity =
encoding:
<% =
out.println(org.owasp.HTMLEncode(addEditConfigurationForm.getUserData()))=
; %>
=20
2) JSP Expression in combination with custom function for HTML-entity =
encoding:
<%=3D org.owasp.HTMLEncode(addEditConfigurationForm.getUserData()) %>
=20
3) Custom JSP tag that performs HTML-entity encoding:
<bean:write name=3D"addEditConfigurationForm" property=3D"userdata"/>
=20
I think most people will agree #3 is the cleanest. That particular JSP =
tag is in the Struts taglib, and given your form variable's naming =
convention, I'd guess with high confidence that it should be available =
in your environment. The OWASP ESAPI project also has tag libraries =
available specifically for dealing with XSS in many contexts, so I would =
also check those out.
=20
Cheers,
Arshan

________________________________

From: mike [mailto:mike9966@rediffmail.com]
Sent: Tue 9/9/2008 11:18 AM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] HTMLEncoding in textarea in java



Hi,

I have an instance where user supplied data initially stored in the =
database and later displayed back in the <textarea> field to the =
browser.=20

When i try to encode the value using server.encodeHTML, still the script =
is executing in the browser leading to XSS.=20

To give an instance,

<bc:textarea name=3D"userdata" id=3D"userdata" =
(this,255);"'>${addEditConfigurationForm.userdata}</bc:textarea>

kindly let me know how to implement encoding in the instance to mitigate =
XSS.

Thanks
Mike=20



578x38_banner2.gif =
<http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.com/signa=
ture-default.htm/1050715198@Middle5/2606998_2599290/2602379/1?PARTNER=3D3=
&OAS_QUERY=3Dnull> =09

------_=_NextPart_001_01C9129E.B02BCAC4
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6001.18099" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText58696 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Hrm. After =
looking at your email more closely I am only&nbsp;becoming more confused =
about your situation.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3D"Times New Roman" =
size=3D3></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>0) I assume =
you weren't actually calling any encoding or mis-calling it because =
properly encoded data within textareas won't execute. For paranoia's =
sake, I just tested in FF2 + IE7.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>1) Your code looks like JSP =
EL and your variable looks like a Struts ActionForm but you talk about =
"server.encodeHTML." The closest thing to this I know is .NET's =
Server.HtmlEncode() which does at least the big four (&lt;&gt;&amp;"). =
What technologies are involved here?</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>2)&nbsp;Do a "View Source" on =
an injected page. What are you looking at? Are you sure the problem =
isn't in another part of the page?</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Arshan</FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Arshan Dabirsiaghi =
[mailto:arshan.dabirsiaghi@aspectsecurity.com]<BR><B>Sent:</B> Tue =
9/9/2008 12:05 PM<BR><B>To:</B> mike ; =
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] =
HTMLEncoding in textarea in java<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<DIV id=3DidOWAReplyText10224>=0A=
<DIV><FONT face=3DArial color=3D#000000 size=3D2>Mike,</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV><FONT face=3DArial color=3D#000000 size=3D2>The output method =
you've chosen, JSP Expression Language (EL), does not encode output =
automatically. You need to either use another mechanism or encode the =
value of "userdata" in your action handler before control is forwarded =
to the JSP.</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV><FONT face=3DArial size=3D2>Alternatives:</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2>1) Scriptlet in combination with custom =
function for HTML-entity encoding:</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2>&lt;% =
out.println(org.owasp.HTMLEncode(addEditConfigurationForm.getUserData()))=
; %&gt;</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV>=0A=
<DIV><FONT face=3DArial size=3D2>2) JSP Expression in combination with =
custom function for HTML-entity encoding:</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2>&lt;%=3D =
org.owasp.HTMLEncode(addEditConfigurationForm.getUserData()) =
%&gt;</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV><FONT face=3DArial size=3D2>3) Custom JSP tag that performs =
HTML-entity encoding:</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2>&lt;bean:write =
name=3D"addEditConfigurationForm" property=3D"userdata"/&gt;</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV><FONT face=3DArial size=3D2>I think most people will agree #3 is =
the cleanest. That particular JSP tag is in the Struts taglib, and given =
your form variable's naming convention, I'd guess with high confidence =
that it should be available in your environment. The OWASP ESAPI project =
also has tag libraries available specifically for dealing with XSS in =
many contexts, so I would also check those out.</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV><FONT face=3DArial size=3D2>Cheers,</FONT></DIV>=0A=
<DIV><FONT face=3DArial size=3D2>Arshan</FONT></DIV></DIV></DIV>=0A=
<DIV><BR>=0A=
<HR>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> mike =
[mailto:mike9966@rediffmail.com]<BR><B>Sent:</B> Tue 9/9/2008 11:18 =
AM<BR><B>To:</B> websecurity@webappsec.org<BR><B>Subject:</B> [WEB =
SECURITY] HTMLEncoding in textarea in java<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<P>Hi,<BR><BR>I have an instance where user supplied data initially =
stored in the database and later displayed back in the &lt;textarea&gt; =
field to the browser. <BR><BR>When i try to encode the value using =
server.encodeHTML, still the script is executing in the browser leading =
to XSS. <BR><BR>To give an instance,<BR><BR>&lt;bc:textarea =
name=3D"userdata" id=3D"userdata" =
(this,255);"'&gt;${addEditConfigurationForm.userdata}&lt;/bc:textarea&gt;=
<BR><BR>kindly let me know how to implement encoding in the instance to =
mitigate XSS.<BR><BR>Thanks<BR>Mike </P><BR><BR>=0A=
<TABLE style=3D"FONT-SIZE: 11px; LINE-HEIGHT: 15px; FONT-FAMILY: =
Verdana" height=3D57 cellSpacing=3D0 cellPadding=3D0 width=3D644 =
border=3D0>=0A=
<TBODY>=0A=
<TR>=0A=
<TD><A =
href=3D"http://adworks.rediff.com/cgi-bin/AdWorks/click.cgi/www.rediff.co=
m/signature-default.htm/1050715198@Middle5/2606998_2599290/2602379/1?PART=
NER=3D3&amp;OAS_QUERY=3Dnull"><IMG alt=3D578x38_banner2.gif =
border=3D0></A></TD></TR></TBODY></TABLE></DIV></DIV></BODY><!--[object_i=
d=3D#aspectsecurity.com#]--></HTML>
------_=_NextPart_001_01C9129E.B02BCAC4--
References:
- [WEB SECURITY] HTMLEncoding in textarea in java
  - From: mike
- RE: [WEB SECURITY] HTMLEncoding in textarea in java
  - From: Arshan Dabirsiaghi
Prev by Date: RE: [WEB SECURITY] HTMLEncoding in textarea in java
Next by Date: [WEB SECURITY] File uploading vulnerabilities
Previous by thread: RE: [WEB SECURITY] HTMLEncoding in textarea in java
Next by thread: [WEB SECURITY] File uploading vulnerabilities
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site