Improper Neutralization of Input During Web Page Generation

scala.xss.scala_xss_rule_xssreqparamtoservletwriter

Severity

low

Resource

Xss

Language

Scala

Description

Servlet reflected cross site scripting vulnerability

Rationale

Servlet reflected cross site scripting vulnerability

The following code illustrates a vulnerable pattern detected by this rule:

class XSSReqParamToServletWriter extends HttpServlet {
  @throws[ServletException]
  @throws[IOException]
  protected def danger(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
    val input1 = req.getParameter("input1")
    // VULNERABLE: Improper Neutralization of Input During Web Page Generation
    resp.getWriter.write(input1) // BAD

  }

  @throws[ServletException]
  @throws[IOException]
  override protected def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
    val input1 = req.getParameter("input1") // BAD
    val sessionId = req.getRequestedSessionId
    val queryString = req.getQueryString
    val referrer = req.getHeader("Referer") //Should have a higher priority
    if (referrer != null && referrer.startsWith("http://company.ca")) { // Header access
      val host = req.getHeader("Host")
      val referer = req.getHeader("Referer")
      val userAgent = req.getHeader("User-Agent")
    }
    val writer = resp.getWriter
    // VULNERABLE: Improper Neutralization of Input During Web Page Generation
    writer.write(input1)
  }

  @throws[ServletException]
  @throws[IOException]
  protected def danger3(req: HttpServletRequest, resp: HttpServletResponse): Unit = {

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-79
OWASP Top 10 2021 - A03 : Injection.