Tuesday, February 7, 2012

Recipe for JSP / JSTL cross site scripting vulnerabilities

I put this together to grep through JSPs looking for possible cross site scripting vulnerabilities.
grep -R \$\{*.\.*.\} --exclude="*\.svn*" --include=*.jsp* * | grep -v c\\:out | grep -v c\\:set | grep -v c\\:when | grep -v c\\:if | grep -v c\\:forEach | grep -v c\\:param | grep -v fmt\\: | grep -v c\\:import | grep -v jspStoreDir | grep -v pageContext | grep -v svn | less 
It's not perfect, but it helped me fine some potentials outside of the security scans. The difference being I have access to the code, and the security scan doesn't. This was used on a Websphere Commerce implementation specific to the Stores directory.

You'll have to page through the results using your own experiences to actually locate the issue. This just helped me filter out some items. For example:
<input type='hidden' name='productId' value='${WCParam.productId}' />
This item is directly output to the page verses using the "c:out".

1 comment:

Anonymous said...

Why is the title of this not "grep for success"?

Share on Twitter