0

I am facing a problem with jsf implementation, or some misunderstanding on my side:

I have the following content: (param contains a malicious javascript block)

<h:outputText value="#{param}"/> <!-- this block does not escape param block -->
#{param} <!-- Also, this one does not escape param  -->
<weirdTag weirdParam="#{param}"/> <!-- WTF, this one is escaped -->

so it seems i am facing a problem when EL are not contained in xhtml tags, obviously this is producing a big problem when substitution is happening in tags

<script>
var val="#{param}"; // This is not escaped, so XSS is possible
</script>

Here are my settings:

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.drm.test</groupId>
    <artifactId>web_test</artifactId>
    <packaging>war</packaging>
    <version>1.0-SNAPSHOT</version>
    <name>web_test Maven Webapp</name>
    <url>http://maven.apache.org</url>
    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>3.8.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.sun.faces</groupId>
            <artifactId>jsf-api</artifactId>
            <version>2.1.29</version>
        </dependency>

        <dependency>
            <groupId>com.sun.faces</groupId>
            <artifactId>jsf-impl</artifactId>
            <version>2.1.29</version>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>servlet-api</artifactId>
            <version>2.5</version>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>taglibs</groupId>
            <artifactId>standard</artifactId>
            <version>1.1.2</version>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <version>1.1.2</version>
        </dependency>
        <dependency>
            <groupId>com.sun.facelets</groupId>
            <artifactId>jsf-facelets</artifactId>
            <version>1.1.14</version>
        </dependency>
    </dependencies>
    <build>
        <finalName>web_test</finalName>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>2.3.1</version>
                <configuration>
                    <source>1.6</source>
                    <target>1.6</target>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project>

index.xhtml

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:ui="http://java.sun.com/jsf/facelets"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:f="http://java.sun.com/jsf/core">
<body>
    #{param['requestParam']}
    <!-- ESCAPED!! -->
    <kkk value="#{param['requestParam']}" />
    <!--  NOT ESCAPED -->
    #{param['requestParam']}
    <h:outputText value="#{param['requestParam']}" escape="true" />
    <script>
    <!-- NOT ESCAPED XSS -->
        <h:outputText value="#{param['requestParam']}" escape="true"/>
    </script>
</body>
</html>

Output html (view source code in browser) when calling with url: 

http://localhost:8080/web_test/index.jsf?requestParam=jsMethod("")

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
    jsMethod("");
    <!-- ESCAPED!! -->
    <kkk value="jsMethod(&quot;&quot;);"></kkk>
    <!--  NOT ESCAPED -->
    jsMethod("");jsMethod("");
    <script>
    <!-- NOT ESCAPED XSS -->jsMethod("");
    </script>
</body>
</html>
Daniel Rodriguez
  • 166
  • 2
  • 9
  • Project is stuck on JSF 1.2, it is legacy and updating is not an option at this moment, jsf are backed by .xhtml files – Daniel Rodriguez Jul 22 '14 at 22:09
  • Made a simple empty project with updated jsf version, and same thing happens, i edited the post with pom.xml and xhtml file – Daniel Rodriguez Jul 23 '14 at 07:35
  • This is a new project I built to check if this happens in 2.1.29, the problem is that i can have a page with the following contents: and I don´t want someone to call this url passing some valid javascript code in 'param' that will be executed, I need this param escaped. I removed everything jsp in this test project. – Daniel Rodriguez Jul 23 '14 at 07:57

1 Answers1

1

The tag has an attribute escape.

This will escape any sensitive HTML in the output of the tag. This is true by default and alone will not prevent XSS injection attacks. To do this you need to implement your ServletFilter that filters XSS injection attempts from all request parameters.

The following project can be used to clean your request parameters, and it shouldn't be too difficult to write a servlet filter in your web application that utilizes this.

http://code.google.com/p/xssprotect/

maple_shaft
  • 10,435
  • 6
  • 46
  • 74