Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it true that following code adds a XSS vulnerability to some JSP page?
<!-- <%=paramName%>=<%=request.getParameter(paramName)%><BR> -->
It looks like a “leftover debug” and definitely should be removed from the code, but how dangerous is it?
Yes, what you are looking at is a reflective XSS attack. This is dangerous because it allows an attacker to hijack an authenticated session. If you have this code running on your system, an attacker will be able to access other peoples accounts without needing to know their username/password.
XSS vulnerabilities can also be used to bypass CSRF protection. This is because XSS allows the attacker to read the value of a CSRF token using XmlHTTPRequest. XSS can also be used to fool referer checks.
Here is simple way to manually test for xss, here i am breaking out of the HTML comment to execute javascript.
This is a free xss scanner, you should test all applications that you write.