JSTL is very common word across web developer who work on dynamic content display in JSP page creation. It may be common practice now a days but thought it would worth sharing this information. This information will be helpful...
Lots of developer use normal scriptlet to print dynamic values from user in JSP.
e.g.
String langId = request.getParameter("langId");
<%=langId %>
This might be fast way to do the coding but not the safest way. This approach will make your website vulnerable to security threats
like Cross Site Scripting. And can be easily used by malicious user to do some fishing in your website. Malicious User's can use this loop hole to redirect to some
fishing website and capture critical user data.
To address this issue there are many approaches available but one of the better and simpler approach is to use JSTL tags. These tags takes care of these above mentioned issues on its own. No additional coding is required.
If you use <c:out value="${param.langId}"/> instead of <%=langId %>, will resolve cross site scripting issue. So I would recommend use of jstl tags.
There is attribute to c:out tag escapeXml, it can have "false" or "true" values.
true = declare the conversion of XML entities, this is the default
false = declare NO conversion of XML entities, normal script execution will be done, similar as of scriptlet.
I did small POC for verifying JSTL tags.Below screen shot is one of the simple example for showing alert in application by passing scripts as part of parameter.
You can see the below screen shot where in url i passed alert as parameter value to langId=-1--%253e%253csCrIpT%253ealert("XSS")%253c%2fsCrIpT%253e, where in code
scriptlet is being used. I was able to execute the script code passed in parameter. You can see the alert which poped up due to use of scriptlet application code.
When i changed the above <%=langId %> to <c:out value="${param.langId}"/> application did not show the alert which came in previous example.
This is because c:out tag does not try to render the value as valid javascript tag, but it print the value <script> in UI.
Hope this information helps...
Also check SQL injection/CSRF and CSS with Filter post, i will be posting some more security vulnerabilities posts in coming days, and their solutions.
Lots of developer use normal scriptlet to print dynamic values from user in JSP.
e.g.
String langId = request.getParameter("langId");
<%=langId %>
This might be fast way to do the coding but not the safest way. This approach will make your website vulnerable to security threats
like Cross Site Scripting. And can be easily used by malicious user to do some fishing in your website. Malicious User's can use this loop hole to redirect to some
fishing website and capture critical user data.
To address this issue there are many approaches available but one of the better and simpler approach is to use JSTL tags. These tags takes care of these above mentioned issues on its own. No additional coding is required.
If you use <c:out value="${param.langId}"/> instead of <%=langId %>, will resolve cross site scripting issue. So I would recommend use of jstl tags.
There is attribute to c:out tag escapeXml, it can have "false" or "true" values.
true = declare the conversion of XML entities, this is the default
false = declare NO conversion of XML entities, normal script execution will be done, similar as of scriptlet.
I did small POC for verifying JSTL tags.Below screen shot is one of the simple example for showing alert in application by passing scripts as part of parameter.
You can see the below screen shot where in url i passed alert as parameter value to langId=-1--%253e%253csCrIpT%253ealert("XSS")%253c%2fsCrIpT%253e, where in code
scriptlet is being used. I was able to execute the script code passed in parameter. You can see the alert which poped up due to use of scriptlet application code.
When i changed the above <%=langId %> to <c:out value="${param.langId}"/> application did not show the alert which came in previous example.
This is because c:out tag does not try to render the value as valid javascript tag, but it print the value <script> in UI.
Hope this information helps...
Also check SQL injection/CSRF and CSS with Filter post, i will be posting some more security vulnerabilities posts in coming days, and their solutions.
