Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Potential XSS errors when using information from HTTP requests

from [Calderon, Juan Carlos (GE Commercial Finance, NonGE)] Network Security [Permanent Link]
Subject: RE: Potential XSS errors when using information from HTTP requests
Date: Mon, 18 Oct 2004 10:12:41 -0400 
I can see a potential XSS issue in the first option, since Java contains a 
design issue allowing you to obtain information sent though GET or POST (and as 
far I can see HTTP headers) using the same sentence and with no form to change 
this behaviour(I mean calling request.getParameter).

In the event you enter a URL field and a Form field with the same name and sent 
them to the server the URL field will take precedence and thus be taken by 
request.getParameter. Therefore, adding a REFERER parameter to an URL 
(probably?) will take precedence over HTTP header as well.

A little more research will confirm or discart this issue using an HTTP header.

Best Regards,
-Juan Carlos Calderon

-----Original Message-----
From: V.Benjamin Livshits [mailto:livshits@cs.stanford.edu]
Sent: Sábado, 16 de Octubre de 2004 04:27 p.m.
To: webappsec@securityfocus.com
Subject: Potential XSS errors when using information from HTTP requests


I've been seeing a lot of redirects like the ones below in J2EE
programs.       

1.      response.sendRedirect(request.getParameter("REFERRER"));

2.      response.sendRedirect(request.getRequestURI());
        
3.      response.sendRedirect(request.getServletPath() + toPath);

Since the URL the user is being redirected to comes from the HTTP
header, I was wondering if forging parts of the header may lead to a
cross-site scripting exploit of some sort. Clearly, it would be
dangerous to use this data as part of SQL statements. However, I have
trouble imagining XSS exploit scenarios.

Thanks,

-Ben
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Web Attack Data - Apache, windo
Next by Date:  Re: Potential XSS errors when using information from HTTP requests, Jeff Williams
Previous by Thread:  Re: Potential XSS errors when using information from HTTP requests, Jeff Williams
Next by Thread:  Recommendations for web app test?, App Crawler
Indexes:  [Date] [Thread] [Top] [All Lists]