WebApp Sec mailing list archives
Re: Potential XSS errors when using information from HTTP requests
From: Paul Johnston <paul () westpoint ltd uk>
Date: Mon, 18 Oct 2004 11:59:50 +0100
Hi,I presume whatever you pass to sendRedirect ends up in the Location: header. Given that the risk is not XSS but HTTP response splitting; you'll have to play with J2EE a bit to see how it handles newlines.
BTW, sometimes scanners report XSS vulns on a 302 redirect page. It seems that in general browsers do not parse the HTML for these pages and the JavaScript is not executed. However, perhaps some obscure browsers will execute it. Does anyone know of any paper that resolves this issue?
Regards, Paul V.Benjamin Livshits wrote:
I've been seeing a lot of redirects like the ones below in J2EE programs. 1. response.sendRedirect(request.getParameter("REFERRER")); 2. response.sendRedirect(request.getRequestURI()); 3. response.sendRedirect(request.getServletPath() + toPath); Since the URL the user is being redirected to comes from the HTTP header, I was wondering if forging parts of the header may lead to a cross-site scripting exploit of some sort. Clearly, it would be dangerous to use this data as part of SQL statements. However, I have trouble imagining XSS exploit scenarios. Thanks, -Ben
-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Potential XSS errors when using information from HTTP requests V.Benjamin Livshits (Oct 17)
- Re: Potential XSS errors when using information from HTTP requests Amit Klein (AKsecurity) (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Tibor Veres (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Paul Johnston (Oct 18)
- Re: Potential XSS errors when using information from HTTP requests Jeff Williams (Oct 18)
- <Possible follow-ups>
- RE: Potential XSS errors when using information from HTTP requests Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Oct 18)