This rule is a stub. It is also an instance of the guideline IDS00-J. Prevent SQL Injection.
Noncompliant Code Example
The following servlet demonstrates a servlet that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser, but the hidden field is not.
public class SampleServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println("<html>");
String visible = request.getParameter("visible");
String hidden = request.getParameter("hidden");
if (visible != null || hidden != null) {
out.println("Visible Parameter:");
out.println( sanitize( visible));
out.println("<br>Hidden Parameter:");
out.println( hidden);
} else {
out.println("<p>");
out.print("<form action=\"");
out.print("SampleServlet\" ");
out.println("method=POST>");
out.println("Parameter:");
out.println("<input type=text size=20 name=visible>");
out.println("<br>");
out.println("<input type=hidden name=hidden value=\'a benign value\'>");
out.println("<input type=submit>");
out.println("</form>");
}
}
/**
* Filter the specified message string for characters that are sensitive
* in HTML. This avoids potential attacks caused by including JavaScript
* codes in the request URL that is often reported in error messages.
*
* @param message The message string to be filtered
*/
public static String sanitize(String message) {
if (message == null)
return null;
char content[] = new char[message.length()];
message.getChars(0, message.length(), content, 0);
StringBuilder result = new StringBuilder(content.length + 50);
for (int i = 0; i < content.length; i++) {
switch (content[i]) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '&':
result.append("&");
break;
case '"':
result.append(""");
break;
default:
result.append(content[i]);
}
}
return result.toString();
}
}
When fed the parameter param1, the web page displays the following:
Visible Parameter: param1
Hidden Parameter: a benign value
However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:
When this URL is provided to the browser, the browser displays:
Visible Parameter: dummy
Hidden Parameter: Surprise!!!
Compliant Solution
This compliant solution applies the same sanitiation to the hidden parameter as is applied to the visible parameter:
...
if (visible != null || hidden != null) {
out.println("Visible Parameter:");
out.println( sanitize( visible));
out.println("<br>Hidden Parameter:");
out.println( sanitize( hidden));
} else {
...
Consequently, when the malicious URL is entered into a browser, the servlet produces:
Visible Parameter: dummy
Hidden Parameter: <font color=red>Surprise</font>!!!
Risk Assessment
Trusting the contents of hidden form fields may lead to all sorts of nasty things.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS14-J | High | Probable | High | P6 | L2 |
Automated Detection
TBD
Bibliography