The rules available for OWASP Top10 A7 - Cross-Site Scripting (XSS) are missing vulnerabilities for java servlet.
Currently SonarCube cannot detect XSS or Html injection issues in a servlet.
It would be good if these could be marked as a Security Hotspot at the least.
Maybe something like “Make sure output is properly encoded here.” or something like that.
Example of a vulnerable servlet
public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“
Welcome “);
writer.write(name);
writer.write(”
”);writer.write(“Today is “);
writer.write(date);
writer.write(””);
writer.write("");
writer.flush();
}
}
The input parameters should be properly validated, and the output must be encoded.
Example of servlet with encoded output
public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“
Welcome “);
writer.write(ESAPI.encoder().encodeForHTML(name));
writer.write(”
”);writer.write(“Today is “);
writer.write(ESAPI.encoder().encodeForHTML(date));
writer.write(””);
writer.write("");
writer.flush();
}
}
External reference: https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
