Re: Potential XSS errors when using information from HTTP requests

[Paul Johnston <paul () westpoint ltd uk>]

Hi,

I presume whatever you pass to sendRedirect ends up in the Location: 
header. Given that the risk is not XSS but HTTP response splitting; 
you'll have to play with J2EE a bit to see how it handles newlines.

BTW, sometimes scanners report XSS vulns on a 302 redirect page. It 
seems that in general browsers do not parse the HTML for these pages and 
the JavaScript is not executed. However, perhaps some obscure browsers 
will execute it. Does anyone know of any paper that resolves this issue?

Regards,

Paul



V.Benjamin Livshits wrote:

> I've been seeing a lot of redirects like the ones below in J2EE
> programs.       
>
> 1.      response.sendRedirect(request.getParameter("REFERRER"));
>
> 2.      response.sendRedirect(request.getRequestURI());
>         
> 3.      response.sendRedirect(request.getServletPath() + toPath);
>
> Since the URL the user is being redirected to comes from the HTTP
> header, I was wondering if forging parts of the header may lead to a
> cross-site scripting exploit of some sort. Clearly, it would be
> dangerous to use this data as part of SQL statements. However, I have
> trouble imagining XSS exploit scenarios.
>
> Thanks,
>
> -Ben
>
>
>  

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk