org.sonar.plugins.findbugs.rules-jsp.xml Maven / Gradle / Ivy
<rules><!-- This file is auto-generated. --> <rule key='JSP_INCLUDE' priority='CRITICAL'> <name>Security - Dynamic JSP inclusion</name> <configKey>JSP_INCLUDE</configKey> <description><p>The inclusion of JSP file allow the entry of dynamic value. It may allow an attacker to control the JSP page included. If this is the case, an attacker will try to include a file on disk that he controls. By including arbitrary files, the attacker gets the ability to execute any code. </p> <p> <b>Vulnerable Code:</b> <pre>&lt;jsp:include page="${param.secret_param}" /&gt;</pre> </p> <p> <b>Solution:</b> <pre>&lt;c:if test="${param.secret_param == 'page1'}"&gt; &lt;jsp:include page="page1.jsp" /&gt; &lt;/c:if&gt;</pre> </p> <br/> <p> <b>References</b><br/> <a href="http://resources.infosecinstitute.com/file-inclusion-attacks/">InfosecInstitute: File Inclusion Attacks</a><br/> <a href="http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion">WASC-05: Remote File Inclusion</a><br/> </p></description> <tag>wasc</tag> <tag>jsp</tag> <tag>security</tag> </rule> <rule key='JSP_SPRING_EVAL' priority='CRITICAL'> <name>Security - Dynamic variable in Spring expression</name> <configKey>JSP_SPRING_EVAL</configKey> <description><p>A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. </p> <p> <b>Vulnerable Code:</b> <pre>&lt;%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %&gt; &lt;spring:eval expression="${param.lang}" var="lang" /&gt;</pre> <br> <pre>&lt;%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %&gt; &lt;spring:eval expression="'${param.lang}'=='fr'" var="languageIsFrench" /&gt;</pre> </p> <p> <b>Solution:</b> <pre>&lt;c:set var="lang" value="${param.lang}"/&gt;</pre> <br/> <pre>&lt;c:set var="languageIsFrench" value="${param.lang == 'fr'}"/&gt;</pre> </p> <br/> <p> <b>References</b><br/> <a href="http://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')</a><br/> <a href="http://cwe.mitre.org/data/definitions/95.html">CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')</a><br/> </p></description> <tag>owasp-a1</tag> <tag>injection</tag> <tag>cwe</tag> <tag>jsp</tag> <tag>security</tag> </rule> <rule key='JSP_JSTL_OUT' priority='MAJOR'> <name>Security - Escaping of special XML characters is disabled</name> <configKey>JSP_JSTL_OUT</configKey> <description><p>A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references) </p> <p> <b>Vulnerable Code:</b> <pre>&lt;%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %&gt; &lt;c:out value="${param.test_param}" escapeXml="false"/&gt;</pre> </p> <p> <b>Solution:</b> <pre>&lt;%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %&gt; &lt;c:out value="${param.test_param}"/&gt;</pre> </p> <br/> <p> <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="http://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html">JSTL Javadoc: Out tag</a><br/> </p></description> <tag>owasp-a3</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>jsp</tag> <tag>security</tag> </rule> <rule key='XSS_JSP_PRINT' priority='MAJOR'> <name>Security - Potential XSS in JSP</name> <configKey>XSS_JSP_PRINT</configKey> <description><p>A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references) </p> <p> <b>Vulnerable Code:</b> <pre><% String taintedInput = (String) request.getAttribute("input"); %> [...] &lt;%= taintedInput %&gt;</pre> </p> <p> <b>Solution:</b> <pre> &lt;% String taintedInput = (String) request.getAttribute("input"); %&gt; [...] &lt;%= Encode.forHtml(taintedInput) %&gt; </pre> </p> <p> The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> <br/> <p> <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="http://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p></description> <tag>owasp-a3</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>jsp</tag> <tag>security</tag> </rule> <rule key='JSP_XSLT' priority='CRITICAL'> <name>Security - A malicious XSLT could be provided</name> <configKey>JSP_XSLT</configKey> <description><p> "XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents".<sup>[1]</sup><br/> It is possible to attach malicious behavior to those stylesheets. Therefore, if an attacker can control the content or the source of the stylesheet, he might be able to trigger remote code execution.<sup>[2]</sup> </p> <p> <b>Code at risk:</b><br/> <pre> &#x3C;x:transform xml=&#x22;${xmlData}&#x22; xslt=&#x22;${xsltControlledByUser}&#x22; /&#x3E; </pre> </p> <p> <b>Solution:</b><br/> <p> The solution would be to make sure the stylesheet is loaded from a safe sources and make sure that vulnerabilities such as Path traversal <sup>[3][4]</sup> are not possible. </p> <p> <b>References</b><br/> [1] <a href="https://en.wikipedia.org/wiki/XSLT">Wikipedia: XSLT (Extensible Stylesheet Language Transformations)</a><br/> <a href="https://prezi.com/y_fuybfudgnd/offensive-xslt/">Offensive XSLT</a> by Nicolas Gregoire<br/> [2] <a href="http://www.agarri.fr/kom/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html">From XSLT code execution to Meterpreter shells</a> by Nicolas Gregoire<br/> <a href="http://xhe.myxwiki.org/xwiki/bin/view/Main/">XSLT Hacking Encyclopedia</a> by Nicolas Gregoire<br/> <a href="http://www.acunetix.com/blog/articles/the-hidden-dangers-of-xsltprocessor-remote-xsl-injection/">Acunetix.com : The hidden dangers of XSLTProcessor - Remote XSL injection</a><br/> <a href="https://www.w3.org/TR/xslt">w3.org XSL Transformations (XSLT) Version 1.0</a> : w3c specification<br/> [3] <a href="http://projects.webappsec.org/w/page/13246952/Path%20Traversal">WASC: Path Traversal</a><br/> [4] <a href="https://www.owasp.org/index.php/Path_Traversal">OWASP: Path Traversal</a><br/> </p></description> <tag>owasp-a1</tag> <tag>injection</tag> <tag>owasp-a4</tag> <tag>wasc</tag> <tag>jsp</tag> <tag>security</tag> </rule> <rule key='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' priority='MAJOR'> <name>Security - JSP reflected cross site scripting vulnerability</name> <configKey>XSS_REQUEST_PARAMETER_TO_JSP_WRITER</configKey> <description><p>This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p></description> <tag>owasp-a3</tag> <tag>jsp</tag> <tag>security</tag> </rule> </rules>
© 2015 - 2025 Weber Informatics LLC | Privacy Policy