[hyddd的FindBugs分析记录][M S XSS] Servlet reflected cross site scripting vulnerability
2009-04-01 21:18 hyddd 阅读(2000) 评论(0) 编辑 收藏 举报[M S XSS] Servlet reflected cross site scripting vulnerability [XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER]
This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
FindBugs looks only for the most blatant, obvious cases of cross site scripting. If FindBugs found any, you almost certainly have more cross site scripting vulnerabilities that FindBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool.
先看下面代码:
public void doGet(HttpServletRequest request,HttpServletResponse response)throws ServletException,IOException{
//
String v = request.getParameter("v");
//
PrintWriter out = response.getWriter();
out.print("协议版本号不对,v="+v);
out.close();
//
}
这里字符串v没有作过滤,直接返回给用户,有可能操作XSS攻击。具体关于XSS攻击的资料,可以参考上面Findbugs说明中的连接,这里就不多说了。
//
String v = request.getParameter("v");
//
PrintWriter out = response.getWriter();
out.print("协议版本号不对,v="+v);
out.close();
//
}
作者:hyddd
出处:http://www.cnblogs.com/hyddd/
本文版权归作者所有,欢迎转载,演绎或用于商业目的,但是必须说明本文出处(包含链接)。
