Weblogic xss vulnerablity : html character entities getting decoded in jsp

2
votes

I am using a filter to prevent xss by encoding html character of my jsp form parameters.

I am resolving them in jsp using ${param} expression.

This is working fine in tomcat as the values are resolved as is, but on weblogic the values are getting decoded, causing the XSS to succeed

I am using this simple code in jsp to test it

<c:set var="testing" value="eb011&quot;&gt;&lt;img src=a onerror=confirm(1)&gt;47379"/>
<input type="hidden" name="encoding" value="${testing }"/>

Result in tomcat

<input type="hidden" onerror="confirm(1)&gt;47379&quot;/" src="a" &gt;&lt;img="" value="eb011" name="encoding">

Result in weblogic

<input type="hidden" value="eb011" name="encoding"><img onerror="confirm(1)" src="a">47379"/&gt;

Please tell me why is weblogic decoding html codes and what could be done to prevent it.

1
javajspjakarta-eeweblogicxss

1 Answers

1
votes

I have never used weblogic in my life, but I do little know about XSS. After some doing some google I found following method to encode the the html entities in weblogic. I guess that will help you out.

WebLogic Server provides the weblogic.servlet.security.Utils.encodeXSS() method to replace the special characters in user-supplied data. To use this method, provide the user-supplied data as input. For example
<%= weblogic.servlet.security.Utils.encodeXSS( javax.servlet.ServletRequest.getParameter("userInput"))%>

From:Oracle docs

WebLogic Server provides the weblogic.servlet.security.Utils.encodeXSS() method to replace the special characters in user-supplied data.
out.print(defaultGreeting + " " + weblogic.security.servlet.encodeXSS(name) + "!");

From: Using a WebLogic Server Utility Method