Servlet Reflected Cross Site Scripting Vulnerability

Description

The application is vulnerable to cross-site scripting (XSS) attacks because it directly writes user-controlled input from an HTTP request to the response without proper encoding. This allows an attacker to inject malicious JavaScript code into the response, potentially leading to unauthorized actions or data theft.

Examples

Insecure Code

scala

def handleRequest(req: HttpServletRequest, res: HttpServletResponse): Unit = {
  val writer = res.getWriter
  writer.write(req.getParameter("userInput"))
}

Secure Code

scala

def handleRequest(req: HttpServletRequest, res: HttpServletResponse): Unit = {
  val writer = res.getWriter
  writer.write(Encode.forHtml(req.getParameter("userInput")))
}

Remediation

Encode user-controlled input for HTML using a library like OWASP ESAPI or Java's built-in encoding functions before writing it to the response.

Rule Details

Field	Value
ID	CODE-0086
Category	Web
Severity	MEDIUM
CWE	CWE-79
Confidence	HIGH
Impact	HIGH
Likelihood	MEDIUM
Exploitability	EASY
Tags	xss, servlet, injection
OWASP	N/A

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Servlet Reflected Cross Site Scripting Vulnerability

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Servlet Reflected Cross Site Scripting Vulnerability ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Servlet Reflected Cross Site Scripting Vulnerability

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details