The form tag is vulnerable to XSS through the path. Although the query string is being escaped before being printed then the path is not escaped at all. This can lead to quite easily exploitable cross site scripting issue, sample attack vector could look like: http://yourwebsite.com/text1/notescaped/text2/?escaped=escaped
where notescaped could be: /Company" onmouseover=prompt(12345689) bad="/somethinghere
or notescaped="><script>alert('pwned');</script>
The problem can be exploited when you're NOT specifying the action attribute.
The reference URL points out the line in which the path part of the URL (requestUri, at this point without query string yet) could be escaped.
I actually tried this and didn't manage to do it. Suppose a JSP is served by a controller mapped to "/form". First to submit a malicious URL such as /notescaped="><script>alert('pwned');</script>, the controller would have to be mapped to "/form\*/\*\*" or "/\*\*". That would be a rather unusual mapping for a form controller. Even then the resulting DOM didn't quite cause the issue. The resulting DOM didn't work as expected in Chrome and FF. See attached image.
Have you reproduced this? Could you perhaps create a small sample project.
Mateusz Krzeszowiec opened SPR-10484 and commented
The form tag is vulnerable to XSS through the path. Although the query string is being escaped before being printed then the path is not escaped at all. This can lead to quite easily exploitable cross site scripting issue, sample attack vector could look like:
http://yourwebsite.com/text1/notescaped/text2/?escaped=escaped
where notescaped could be: /Company" onmouseover=prompt(12345689) bad="/somethinghere
or notescaped="><script>alert('pwned');</script>
The problem can be exploited when you're NOT specifying the action attribute.
The reference URL points out the line in which the path part of the URL (requestUri, at this point without query string yet) could be escaped.
Affects: 3.0 GA, 3.1 GA, 3.2 GA
Reference URL: https://github.com/SpringSource/spring-framework/blob/3.2.x/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java#L426
Attachments:
1 votes, 4 watchers
The text was updated successfully, but these errors were encountered: