javascriptjspxssgetparameter

submitting form still risks from XSS


I am assigned to fix security issues on legacy code and I was given results from security scan:

Poor Error Handling: Server Error Message ( 10932 ) 

Basically, when the scan tries to access with some weird code:

www.mywebsite.com/myapp/jspPage.jsp?myVar=Approved%26rhppvar%3DRHPP1234

The server returns 500 error code, but I have page that displays "An error occurred" to end users.

myVar should really only ever be "Approved" or "Rejected"

**jspPage.jsp**

String myVar= request.getParameter("myVar");
if(myVar== null)
    myVar= "";

 <form method="post" name="ics" action="jspPage.jsp?myVar=Approved"> 

I was wondering if I should be doing anything else as far as checking what gets passed to myVar parameter? I am not sure what the scan wants me to do...

Also, could the above form still be submitted with something other than Approved value?

Is this ok as far as not giving much information to attacker?


Solution

  • As @dandavis comments, if the value of the myVar query string parameter is not output to the page then no XSS can occur.

    Read the OWASP page on Cross-site Scripting (XSS) for more information, but basically a page is vulnerable to XSS if it is not correctly encoding output from untrusted sources.

    e.g. if the page output the value of myVar and myVar was <script>alert(1)</script> and this caused a popup dialog box to be displayed, then it would be vulnerable.