Missing rules to detect XSS and html injection in java servlets

java
security

(Anders Rogheden) #1

The rules available for OWASP Top10 A7 - Cross-Site Scripting (XSS) are missing vulnerabilities for java servlet.
Currently SonarCube cannot detect XSS or Html injection issues in a servlet.

It would be good if these could be marked as a Security Hotspot at the least.
Maybe something like “Make sure output is properly encoded here.” or something like that.

Example of a vulnerable servlet

public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“

Welcome “);
writer.write(name);
writer.write(”

”);
writer.write(“Today is “);
writer.write(date);
writer.write(””);
writer.write("");
writer.flush();
}
}

The input parameters should be properly validated, and the output must be encoded.

Example of servlet with encoded output

public class DemoServlet extends HttpServlet {
private static final long serialVersionUID = 1L;

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String name = req.getParameter(“name”);
String date = req.getParameter(“date”);
resp.setContentType(“text/html”);
resp.setCharacterEncoding(“UTF-8”);
resp.setStatus(HttpStatus.SC_OK);
PrintWriter writer = resp.getWriter();
writer.write("");
writer.write("");
writer.write(“

Welcome “);
writer.write(ESAPI.encoder().encodeForHTML(name));
writer.write(”

”);
writer.write(“Today is “);
writer.write(ESAPI.encoder().encodeForHTML(date));
writer.write(””);
writer.write("");
writer.flush();
}
}

External reference: https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)


(Alexandre Gigleux) #2

Hello,

We are working to provide this feature as part of SonarQube 7.7

Regards


(Alexandre Gigleux) #3

Hello @Anders,

This is to let you know that I tested your code samples with SQ Developer Edition 7.7 and it raises the expected issues on the first one and nothing on the second one thanks to the sanization provided by ESAPI.encoder():

SQ 7.7 should be released before end of March 2019.

Regards


(Anders Rogheden) #4

Thank you!
/Anders