|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ingo Struck (istr
merconic.com)Date: Mon May 20 2002 - 10:42:36 CDT
Hi!
> http://192.168.1.48:8888/jspages/LoginErrorMsg.jsp?
> msg=''<script>alert("Test hello Message");</script>
It seems like your .jsp does something like this:
<%
String msg = request.getParameter( "msg" );
out.print( msg );
%>
This is always a bad idea, since one could add arbitrary
HTML code to the page using the method you mentioned.
Try this
<%!
static final String messages = { "error", "server down", "go away"
};
%>
<%
int mnum = 0;
try {
mnum = Integer.parseInt( request.getParameter( "msg" ) );
} catch ( Exception e ) {}
%>
<%= messages[ mnum ] %>
Then you have to address error codes with
LoginErrorMsg.jsp?msg=0
LoginErrorMsg.jsp?msg=1
LoginErrorMsg.jsp?msg=2
If anything else occurs, the displayed text will be error.
Using this or any other kind of indirect message determination
prevents users from writing arbitrary content to the pages.
> As in, can someone make some data injection into the server
> by creating a specially crafted javascript.
This is improbable unless you build up your db connection via
javascript.
But somebody could submit a whole malicious form and then execute
it with javascript. This could be a possibility for data injection.
To say more about this topic, one has to know how your db connection
works.
Kind regards
Ingo Struck
-- Ingo Struck Shop Development merconic GmbH, Chausseestr. 128-129, D-10115 Berlin (Mitte) istr
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]