java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
121,021
Download Count*
LGPL Commons Clause
License

Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: servletresponse-writer-xss
    message: "Cross-site scripting detected in HttpServletResponse writer with
      variable '$VAR'. User input was detected going directly from the
      HttpServletRequest into output. Ensure your data is properly encoded using
      org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'."
    metadata:
      cwe:
        - "CWE-79: Improper Neutralization of Input During Web Page Generation
          ('Cross-site Scripting')"
      owasp:
        - A07:2017 - Cross-Site Scripting (XSS)
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: ERROR
    patterns:
      - pattern-inside: $TYPE $FUNC(..., HttpServletResponse $RESP, ...) { ... }
      - pattern-inside: $VAR = $REQ.getParameter(...); ...
      - pattern-either:
          - pattern: $RESP.getWriter(...).write(..., $VAR, ...);
          - pattern: |
              $WRITER = $RESP.getWriter(...);
              ...
              $WRITER.write(..., $VAR, ...);
    languages:
      - java

Examples

servletresponse-writer-xss.java

package servlets;

import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.io.FilenameUtils;

public class Cls extends HttpServlet
{
    private static org.apache.log4j.Logger log = Logger.getLogger(Register.class);

    protected void danger(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String input1 = req.getParameter("input1");
        // ruleid:servletresponse-writer-xss
        resp.getWriter().write(input1);
    }

    protected void danger2(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String input1 = req.getParameter("input1");
        // ruleid:servletresponse-writer-xss
        PrintWriter writer = resp.getWriter();
        writer.write(input1);
    }

    protected void ok(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String input1 = req.getParameter("input1");
        // ok:servletresponse-writer-xss
        resp.getWriter().write(Encode.forHtml(input1));
    }
}