Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Potential XSS errors when using information from HTTP requests

from [Paul Johnston] Network Security [Permanent Link]
Subject: Re: Potential XSS errors when using information from HTTP requests
Date: Mon, 18 Oct 2004 11:59:50 +0100 
Hi,

I presume whatever you pass to sendRedirect ends up in the Location: header. Given that the risk is not XSS but HTTP response splitting; you'll have to play with J2EE a bit to see how it handles newlines.

BTW, sometimes scanners report XSS vulns on a 302 redirect page. It seems that in general browsers do not parse the HTML for these pages and the JavaScript is not executed. However, perhaps some obscure browsers will execute it. Does anyone know of any paper that resolves this issue?

Regards,

Paul



V.Benjamin Livshits wrote:

I've been seeing a lot of redirects like the ones below in J2EE
programs.       

1.      response.sendRedirect(request.getParameter("REFERRER"));

2.      response.sendRedirect(request.getRequestURI());
        
3.      response.sendRedirect(request.getServletPath() + toPath);

Since the URL the user is being redirected to comes from the HTTP
header, I was wondering if forging parts of the header may lead to a
cross-site scripting exploit of some sort. Clearly, it would be
dangerous to use this data as part of SQL statements. However, I have
trouble imagining XSS exploit scenarios.

Thanks,

-Ben





--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Potential XSS errors when using information from HTTP requests, Tibor Veres
Next by Date:  Re: Web Attack Data - Apache, windo
Previous by Thread:  Re: Potential XSS errors when using information from HTTP requests, Tibor Veres
Next by Thread:  Re: Potential XSS errors when using information from HTTP requests, Jeff Williams
Indexes:  [Date] [Thread] [Top] [All Lists]