Servlet reflected cross site scripting vulnerability

1
votes

I've analyzed a code with Findbugs and it reported a warning for

servlet reflected cross site scripting vulnerability.

Code is like that and the 3rd line throws the warning:

String tickName = request.getParameter("ticko");
PrintWriter w = response.getWriter();
w.println("Unable to perform tickonem '" + tickName +"' because no tick with that name is active!"); //this line throws warning.

What is the real reason for it and how to fix it?

1
csshttpservletsxss

1 Answers

1
votes

Reason for that is appending user provided data to the response without any escaping. This is vulnerable to injecting javascript which will get executed in user browser. To avoid such vulnerabilities you should html escape every user supplied data before sending it back. You can use some existing libraries to perform escaping for you like for example StringEscapeUtils