cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6216) No output sanitizing in FormattedServiceListWriter
Date Sat, 24 Jan 2015 22:04:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-6216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14290845#comment-14290845
] 

Donald Kwakkel commented on CXF-6216:
-------------------------------------

This link describes and gives examples how requestURL can be used for xss attacks: https://www.superevr.com/blog/2011/three-semicolon-vulnerabilities.
For getRequestURI it is more difficult, because it is encoded. So e.g. this attack will not
work: view-source:https://www.eigenhuis.nl/api/v2;';alert('xss1')-'
I do not know how to generate the WADL html code with requestURL (from BaseUrlHelper.getBaseURL)
as input, so not sure if this is an issue. Maybe with the current code base it goes right.
Still it seems preferable to me to sanitize output. 

> No output sanitizing in FormattedServiceListWriter 
> ---------------------------------------------------
>
>                 Key: CXF-6216
>                 URL: https://issues.apache.org/jira/browse/CXF-6216
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.0.1
>            Reporter: Donald Kwakkel
>
> No output sanitizing is done, which makes the code vulnerable for injection. I do not
have a specific use case, but it is good habit to do. Maybe you can use the OWASP Sanitizer:
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
> One example from the file: 
>         writer.write("<span class=\"field\">Endpoint address:</span> " +
"<span class=\"value\">"
>                      + absoluteURL + "</span>");



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message