在 BufferedReader readLine() 方法上反射 XSS
[英]Reflected XSS on BufferedReader readLine() method
问题描述
I have scanned a java web project with the Checkmarx tool, and the analysis marks an XSS vulnerability in a method where a web service is executed that responds a JSON, the vulnerability is in the line while((output = Encode.forJava(br.readLine())) != null) { , specifically in br.readLine() .
我用 Checkmarx 工具扫描了一个 java web 项目,分析标记了一个方法中的 XSS 漏洞,其中执行 web 服务响应 JSON,该漏洞位于while((output = Encode.forJava(br.readLine())) != null) { ,特别是在br.readLine()中。
Checkmarx says: Checkmarx 说:
The attacker would be able to alter the returned web page by simply providing modified data in the user input
readLine, which is read by theNetClientPostmethod.NetClientPost方法读取的用户输入readLine中提供修改后的数据,即可更改返回的 web 页面。 This input then flows through the code straight to the output web page, without sanitization.
I tried with OWASP for Java, implementing the method Encode.forJava() , but the vulnerability continues to appear in the analysis.我尝试使用 OWASP for Java,实现方法Encode.forJava() ,但该漏洞继续出现在分析中。 This is the implementation of the method:这是该方法的实现:
public String NetClientPost (String urlSer, String param){
String result ="";
try {
InetAddress ip = InetAddress.getLocalHost();
String host = ip.getHostAddress();
doTrustToCertificates();
URL url = new URL(urlSer);
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setRequestMethod("POST");
conn.setRequestProperty("Content-Type", "application/json");
conn.setConnectTimeout(2000);
String input = param;
String output = "";
try(OutputStream os = conn.getOutputStream()) {
os.write(input.getBytes());
os.flush();
if (conn.getResponseCode() != 200) {
throw new RuntimeException("Failed : HTTP code : " + conn.getResponseCode());
}
try (BufferedReader br = new BufferedReader(new InputStreamReader((conn.getInputStream())))) {
while ((output = Encode.forJava(br.readLine())) != null) {//LINE OF CHECKMARX XSS
result += output;
}
}
}
conn.disconnect();
return result;
} catch (MalformedURLException e) {
return result;
} catch (IOException e) {
return result;
} catch (Exception e) {
return result;
}
}
Any have an idea of how to solve this?任何人都知道如何解决这个问题?
2 个解决方案
解决方案1
1 2020-12-18 20:26:18
Try parsing the incoming data as JSON and then serializing it back to a string before sending it on.尝试将传入数据解析为 JSON,然后在发送之前将其序列化回字符串。
That way you can be sure that your method only returns JSON to the client.这样你就可以确定你的方法只返回 JSON 给客户端。 If for some reason, your incoming data isn't JSON, then your method would encounter an error parsing the JSON, which you can then handle appropriately.如果由于某种原因,您的传入数据不是 JSON,那么您的方法将在解析 JSON 时遇到错误,然后您可以对其进行适当处理。
Encode.forJava isn't a helpful method to use here: it is used to encode a string to be inserted into a Java string literal. Encode.forJava在这里不是一个有用的方法:它用于编码要插入到 Java 字符串文字中的字符串。
解决方案2
0 2023-01-20 06:29:47
output = Encode.forHtmlAttribute(br.readLine() works for me output = Encode.forHtmlAttribute(br.readLine() 对我有用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.