发表新帖
发表新帖

How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

后端 未结
关注
5 1938
野趣味
野趣味 2020-12-10 19:29

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related

相关标签:
5条回答
  • [愿得一人]
    2020-12-10 19:37

    VeraCode lists Supported Cleansing Functions, including those CWE IDs that each function addresses.

    0 讨论(0)
  • 小鲜肉
    2020-12-10 19:39

    The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf

    I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.

    Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

    You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);

    rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);
    0 讨论(0)
  • 谎友^
    2020-12-10 19:53

    A function call contains an HTTP response splitting flaw. Writing unsanitized user-supplied input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, leading to cache poisoning and crosssite scripting attacks.

    Issue Code

    strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(strMessage);

    Fixed Code

    strMessage=CLASSCONSTANTNAME+className+MESSAGENAME+message; LOGGER.info(ESAPI.encoder().encodeForHTML(strMessage));

    moredetail

    0 讨论(0)
  • 野趣味
    2020-12-10 19:54

    You can also use Apache Commons Lang3 library StringEscapeUtils. It has various methods for encoding the strings. e.g. escapeXml(string), escapeHtml(string) etc.

    rev.ErrorMessage = StringEscapeUtils.escapeHtml(msg);
    0 讨论(0)
  • 面向向阳花
    2020-12-10 19:55

    You can use ESAPI library to fix this.

    rev.ErrorMessage = ESAPI.encoder().encodeForHTML(msg);
    0 讨论(0)
 看不清?
提交回复
热议问题