Missing rules to detect XSS and html injection in java servlets

java
security

(Anders Rogheden) #1

The rules available for OWASP Top10 A7 - Cross-Site Scripting (XSS) are missing vulnerabilities for java servlet.
Currently SonarCube cannot detect XSS or Html injection issues in a servlet.

It would be good if these could be marked as a Security Hotspot at the least.
Maybe something like “Make sure output is properly encoded here.” or something like that.

Example of a vulnerable servlet

public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“

Welcome “);
writer.write(name);
writer.write(”

”);
writer.write(“Today is “);
writer.write(date);
writer.write(””);
writer.write("");
writer.flush();
}
}

The input parameters should be properly validated, and the output must be encoded.

Example of servlet with encoded output

public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“

Welcome “);
writer.write(ESAPI.encoder().encodeForHTML(name));
writer.write(”

”);
writer.write(“Today is “);
writer.write(ESAPI.encoder().encodeForHTML(date));
writer.write(””);
writer.write("");
writer.flush();
}
}

External reference: https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)