Cross Site Scripting with Hidden Inputs

2
votes

My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:

<input type="hidden" name="eventId" value="${param.eventId}"/>

The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:

eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e

And that when the page reloads, it will have the following:

<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>

I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?

I know there is a number of XSS questions on the site, but none seem to hit this topic.

4
xss
How did you add it to the URL? Where there any other parameters? - Erlend

4 Answers

3
votes

So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):

http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e

Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.

<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
1
votes

Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.

By using this hidden fields can be edited.

0
votes

What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding. Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.

0
votes

I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:

<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">

You can also use the API to filter request.Parameter() which I also needed, as in:

String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false); 
if (isValidURL) {  
    <a href="<%=encoder.encodeForHTMLAttribute(userURL)%>">link</a>
}

and:

String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);