Cross Site History Manipulation ('XSHM')

ID

java.cross_site_history_manipulation

Severity

high

Resource

Injection

Language

Java

Tags

CWE:203, NIST.SP.800-53, PCI-DSS:6.5.1

Description

Cross-Site History Manipulation (XSHM) is a vulnerability that allows an attacker to manipulate the URL history of a user’s web browser.

By exploiting this vulnerability, a malicious actor can deceive users by altering the sequence of pages in the history stack, potentially causing unauthorized inputs to persist or misleading a user to think they are interacting with a trusted site.

Rationale

Cross-Site History Manipulation in Java applications typically arises when web pages use Java applets or servlets in conjunction with improper state management that affects browser history. An attacker may exploit this by injecting crafted URLs or scripts that alter a user’s navigation and interaction flow.

The vulnerability typically affects applications that rely heavily on client-side operations in Java-based environments. This can involve misleading users about the previous pages they have visited or redirecting them to malicious sites without their consent.

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class VulnerableHistoryManipulation {
    public void service(HttpServletRequest request, HttpServletResponse response) {
        String referrer = request.getHeader("Referer");

        // Potential vulnerability if the referrer is used improperly
        if (referrer != null && referrer.equals("http://trusted.com")) {
            // Normal processing
        } else {
            // Redirecting using untrusted data
            response.sendRedirect(referrer); // BAD: Uncontrolled URL redirect
        }
    }
}

In the sample above, the server application reads the "Referer" header directly from the HTTP request and uses it to perform redirection, which lacks validation and proper control over the input.

Remediation

To remediate Cross-Site History Manipulation vulnerabilities in Java applications, consider the following best practices:

  1. Validate and Sanitize Inputs: Always validate and sanitize any data coming from HTTP headers or user inputs before using it to alter the application’s state or URL redirection. Never trust direct headers like "Referer" without validation.

  2. Implement URL Whitelisting: Use a whitelist of allowed URLs for redirection operations. Check URLs against this list to ensure that only authorized redirects are performed.

  3. Use Secure API Libraries: Leverage secure libraries and frameworks that offer built-in mechanisms to handle URL manipulation safely, reducing the risk of vulnerabilities stemming from improper user input handling.

  4. Limit Browser Manipulation: Avoid unnecessary operations that modify the client’s browser state, especially if the application doesn’t require such functionality for its core purpose.

  5. Review Browser History Scripts: Regularly review and audit any scripts or applets that may influence browser history or interaction processes, ensuring secure coding practices are employed.

References