WebApp Sec: RE: Potential XSS errors when using information from HTTP requests

["Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>]

I can see a potential XSS issue in the first option, since Java contains a design issue allowing you to obtain 
information sent though GET or POST (and as far I can see HTTP headers) using the same sentence and with no form to 
change this behaviour(I mean calling request.getParameter).

In the event you enter a URL field and a Form field with the same name and sent them to the server the URL field will 
take precedence and thus be taken by request.getParameter. Therefore, adding a REFERER parameter to an URL (probably?) 
will take precedence over HTTP header as well.

A little more research will confirm or discart this issue using an HTTP header.

Best Regards,
-Juan Carlos Calderon

-----Original Message-----
From: V.Benjamin Livshits [mailto:livshits () cs stanford edu]
Sent: Sábado, 16 de Octubre de 2004 04:27 p.m.
To: webappsec () securityfocus com
Subject: Potential XSS errors when using information from HTTP requests


I've been seeing a lot of redirects like the ones below in J2EE
programs.       

1.      response.sendRedirect(request.getParameter("REFERRER"));

2.      response.sendRedirect(request.getRequestURI());
        
3.      response.sendRedirect(request.getServletPath() + toPath);

Since the URL the user is being redirected to comes from the HTTP
header, I was wondering if forging parts of the header may lead to a
cross-site scripting exploit of some sort. Clearly, it would be
dangerous to use this data as part of SQL statements. However, I have
trouble imagining XSS exploit scenarios.

Thanks,

-Ben