|
WebApp Sec
mailing list archives
Re: Potential XSS errors when using information from HTTP requests
From: Paul Johnston <paul () westpoint ltd uk>
Date: Mon, 18 Oct 2004 11:59:50 +0100
Hi,
I presume whatever you pass to sendRedirect ends up in the Location:
header. Given that the risk is not XSS but HTTP response splitting;
you'll have to play with J2EE a bit to see how it handles newlines.
BTW, sometimes scanners report XSS vulns on a 302 redirect page. It
seems that in general browsers do not parse the HTML for these pages and
the JavaScript is not executed. However, perhaps some obscure browsers
will execute it. Does anyone know of any paper that resolves this issue?
Regards,
Paul
V.Benjamin Livshits wrote:
I've been seeing a lot of redirects like the ones below in J2EE
programs.
1. response.sendRedirect(request.getParameter("REFERRER"));
2. response.sendRedirect(request.getRequestURI());
3. response.sendRedirect(request.getServletPath() + toPath);
Since the URL the user is being redirected to comes from the HTTP
header, I was wondering if forging parts of the header may lead to a
cross-site scripting exploit of some sort. Clearly, it would be
dangerous to use this data as part of SQL statements. However, I have
trouble imagining XSS exploit scenarios.
Thanks,
-Ben
--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk
 By Date 
By Thread
Current thread:
|
Intro
