I’m trying to provide a somewhat meaningful example of Why Can’t I Just HTML Entity Encode Untrusted Data?. I’d like the demo to work within a JSP (or other Java Based Templating Technology). Concreely, I’ve currently come up with the following example:
<html>
<head></head>
<body>
<script>
<c:out value="alert(7)"/>
</script>
<p>
<c:out value="alert(7)"/>
</p>
</body>
</html>
The example demonstrates how properly HTML encoding an untrusted value alert(7)
will be fine in an HTML context, but unsafe in a <script>
.
However, it is not very realistic because a user would likely place the untrusted value in quotes:
<html>
<head></head>
<body>
<script>
var v = '<c:out value="alert(7)"/>';
</script>
<p>
<c:out value="alert(7)"/>
</p>
</body>
</html>
With the value in quotes, the difficulty with getting XSS is that c:out escapes "
.
For example, the following:
<script>
var a = "<c:out value="\";alert(7)\\"/>";
</script>
becomes:
<script>
var a = "";alert(7)\";
</script>
In summary:
-
I’d like to demo Why Can’t I Just HTML Entity Encode Untrusted Data?.
-
I’d like the demo to work within a JSP (or other Java Based Templating Technology) but within a more realistic context.
-
I’m fine if the attack is simply popping up an alert.
-
It does not need to be html vs script (it could be something like an HTML vs HTML attribute). So long as it is something a somewhat responsible user would do (i.e. I assume the user would put quotes on the attribute, put quotes around the value injected into the JavaScript
var v = '${htmlEncodedValue}'
, etc)
I’ve put together a sample application for playing around with creating the sample at https://github.com/rwinch/spring-boot-xss. The README contains details on the sample.
To run the sample from the command line use:
$ ./gradlew bootRun
You can also import as an existing project into Eclipse using:
$ ./gradlew eclipse
File→Import→Existing Project into Workspace
Then you can run by right clicking on SpringBootXssApplication.java
and selecting Run As→Java Application
The value being injected can be controlled in SpringBootXssApplication
.
I’m not doing this via URL parameters since many browsers protect against reflective XSS these days.
Below is a guide to manipulating the templates:
Technology | Template Location | URL |
---|---|---|
JSP |
||
Thymeleaf |
||
Velocity |