Here a sample code that shows the workflow:
-------------
on a controller class (marked with the @Controller attribute)
@RequestMapping(value = "/externalUrl.html", method = RequestMethod.GET)
public String doSomething(HttpServletRequest request, Map
model.put("putPayloadHere", request.getParameter("putPayloadHere"));
return "viewThatShowsPayload";
}
on the JSP (for example /jsps/viewThatShowsPayload.jsp)
payload: ${putPayloadHere}
-------------
for reference the above code will be compiled (in the viewThatShowsPayload_jsp.java) into something that looks like this:
out.write("");
out.write((java.lang.String) org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${putPayloadHere}", java.lang.String.class, (PageContext)_jspx_page_context, NULL, false));
out.write("");
My question is: In the above example will the request http://xxx/externalUrl.htm?putPayloadHere= ALWAYS result in XSS?
The key part of the question is the always bit, since:
a) By default (according my google searches) ${xxx} in JSP doesn't perform HTML Encoding (the sugested alternative is
b) in Spring MVC there is the DefaultHtmlEncode option (http://static.springframework.org/spring/docs/2.5.x/reference/spring.tld.html#spring.tld.htmlEscape), but this only seems to affect the Spring Tags. I belive this is now enabled by default, but couldn't find any documentation to support that (http://shh.thathost.com/secadv/spring-form-xss/)
c) Are there other valid alternatives to make ${xxx} encode its result by default? For example Matt Raible in http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss mentions this: "The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el? " , have anybody seen this solution work on an enterprise app?
d) Matt also triggered this request http://raibledesigns.com/rd/entry/proposed_tomcat_enhancement_add_flag which doesn't seem to have gone anywhere, should this be something that the ISWG should be persuing?
e) Finally, is there an equivalent for J2EE of the Microsoft Anti-XSS (the latest version) which is able to add output encoding without touching the code?
(note: I also looked at http://www.owasp.org/index.php/JSP_JSTL and http://www.owasp.org/index.php/J2EE_Bad_Practices:_JSP_Expressions and once I've clarify this, will update these pages with the results)
