stackoom
  简体   繁体   中英

Xss Vulnerability

 原文  2016-03-03 13:44:22       java/ jsp/ xss

Question

I have make an audit with Acunetix Vulnerability Scanner about my web application, the Developer Reporttell me that: 

/referentiels-web/j_spring_cas_security_check
Details
URL encoded GET input ticket was set to ST-1664-V7HlBALHdSMeqYmAjHL9-passeport01.brgm-rec.fr'"()&%<acx><ScRiPt>qvVq(9803)</ScRiPt>
>qvVq(9803)</ScRiPt>
GET /referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05ECF865408DAC009A0DAF HTTP/1.1
Referer: https://myapp.com:443/referentiels-web/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Host: Rgf-ref.brgm-rec.fr

but when when I try to reproduce this xss vulnerabilities, I can not reproduce, why ..?

My test url: 

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?<sc ript>alert('test')</sc ript>

The report: 在此处输入图片说明

Postman: 在此处输入图片说明

authfailed.jsp: 

<%@ page import="org.springframework.security.core.AuthenticationException" %>
<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.web.WebAttributes" %>

<html>
<head>
    <title>Login to CAS failed!</title>
</head>

<body>
<h2>Login to CAS failed!</h2>

<font color="red">
    Your CAS credentials were rejected.<br/><br/>
    Reason: <%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>
</font>

</body>
</html>

1 answers

solution1
 0  2016-04-07 14:45:05

I can see from the report that the Script is set into the "ticket" GET input

Try using this url: 

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=ST-1664-V7HlBALHdSMeqYmAjHL9-passeport01.brgm-rec.fr'"()&%<ScRiPt>alert('test')</ScRiPt>

or an encoded one like: 

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=%53%54%2D%31%36%36%34%2D%56%37%48%6C%42%41%4C%48%64%53%4D%65%71%59%6D%41%6A%48%4C%39%2D%70%61%73%73%65%70%6F%72%74%30%31%2E%62%72%67%6D%2D%72%65%63%2E%66%72%27%22%28%29%26%25%3C%53%63%52%69%50%74%3E%61%6C%65%72%74%28%27%74%65%73%74%27%29%3C%2F%53%63%52%69%50%74%3E

or 

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=U1QtMTY2NC1WN0hsQkFMSGRTTWVxWW1BakhMOS1wYXNzZXBvcnQwMS5icmdtLXJlYy5mciciKCkmJTxTY1JpUHQ+YWxlcnQoJ3Rlc3QnKTwvU2NSaVB0Pg==

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question XSS vulnerability despite encoding XSS vulnerability in java How to prevent XSS vulnerability with Struts xss vulnerability with servletoutputstream.write How to test XSS vulnerability using Selenium WebDriver? Checkmarx fix for CGI_Stored_XSS Vulnerability XSS VULNERABILITY FOR XML — response.getWriter().write(xml.toString()); How to fix Checkmarx vulnerability for Checkmarx scan 'reflected XSS all clients'? Prevent XSS/Cross site scripting vulnerability - request.getParameter() in JSP How to securely send an e-mail from client without exposing an XSS vulnerability?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM