This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "JSP JSTL"

From OWASP
Jump to: navigation, search
(Sinks)
(JSP Standard Actions)
Line 25: Line 25:
  
 
=== Propagators ===
 
=== Propagators ===
<jsp:usebean>
+
'''<jsp:usebean>'''<br>
<jsp:setProperty>
+
* Makes a Java Bean available to the rest of the page by instantiaing the object and binding it to a variable.
 +
* Once you have that you can modify and access it using the jsp setProperty and getProperty tags.
 +
* You can also call methods on it in scriptlets.
 +
<pre>
 +
<jsp:useBean id="user" class="SessionBeans.UserSessionBean" scope="session"/>
 +
<%=user.getStrParam%>
 +
</pre>
 +
 
 +
'''<jsp:setProperty>'''<br>
 +
 +
''Set all bean properties with matching request parameters.''
 +
<pre>
 +
<jsp:setProperty name="user" property="*"/><!-- -->
 +
</pre>
 +
''Set single property with matching request parameter''
 +
<pre>
 +
<jsp:setProperty name="user" property="strParam"/>
 +
</pre>
 +
''Set with supplied value''
 +
<pre>
 +
<jsp:setProperty name="user" property="strParam" value="blah" />
 +
</pre>
  
 
=== Sinks ===
 
=== Sinks ===
<jsp:getProperty>
+
'''<jsp:getProperty>'''<br>
<jsp:include>
 
 
   
 
   
 
Examples:<br>
 
Examples:<br>
Line 43: Line 63:
 
<jsp:getProperty name="user" property="strParam"/>
 
<jsp:getProperty name="user" property="strParam"/>
 
</pre>
 
</pre>
Other ways to set properties:
+
'''<jsp:include>'''<br>
''Setting a single bean property with the matching request parameter.''<br>  
+
Displays contents of another page within current. Only a problem if included page contains xss.
''Setting  a single bean property with the supplied value.''<br>
 
''Setting a single bean property with the supplied value – obviously contrived.''<br>
 
<pre>
 
<jsp:setProperty name="user" property="strParam"/>
 
<jsp:setProperty name="user" property="strParam" value="blah" />
 
<jsp:setProperty name="user" property="strParam" value="<%=request.getParameter("strParam")%>" />
 
</pre>
 
  
 
== JSP Implicit Objects ==
 
== JSP Implicit Objects ==

Revision as of 16:26, 11 March 2008

Brief Overview of JSP Architecture

JSPs are delivered to a container that provides services like life-cycle management and runtime support. A JSP gets translated to a servlet class which is instantiated at runtime. A request headed for a particular JSP will be directed by the container to its corresponding servlet class (aka jsp implementation object). It then handles requests and generates responses. The default request response objects are HttpServletRequest and HttpServletResponse. JSP makes use of implicit objects that can be considered taint sources, sinks and propagators. I won't discuss further details since that is outside the scope of this project. For further information try this reference guide.


JSP In Light of Security

There’s not much to say here except that JSPs can act as both a model and view. It can operate fairly well without a distinct service or business layer because it doesn’t quite enforce separation of logic and concerns (hence the advent of development frameworks).

I won’t discuss details of web app design here, but one should understand that lack of separation can have negative effects on web-app stability and security. But even so, lack of input validation can lead to easy security vulns in JSP, namely XSS.

Commonly, JavaBeans are used in conjunction with JSP to store parameters and implement business logic. Most of my examples will use beans to demonstrate taint propagation and proper cleansing.

For more data on design with JSP and servlets, see this best practices article


JSP Standard Actions

Propagators

<jsp:usebean>

  • Makes a Java Bean available to the rest of the page by instantiaing the object and binding it to a variable.
  • Once you have that you can modify and access it using the jsp setProperty and getProperty tags.
  • You can also call methods on it in scriptlets.
<jsp:useBean id="user" class="SessionBeans.UserSessionBean" scope="session"/>
<%=user.getStrParam%>

<jsp:setProperty>

Set all bean properties with matching request parameters.

<jsp:setProperty name="user" property="*"/><!-- -->

Set single property with matching request parameter

<jsp:setProperty name="user" property="strParam"/>

Set with supplied value

<jsp:setProperty name="user" property="strParam" value="blah" />

Sinks

<jsp:getProperty>

Examples:
This will attempt to set all bean properties with matching request parameters.

<jsp:useBean id="user" class="SessionBeans.UserSessionBean" scope="session"/>
<jsp:setProperty name="user" property="*"/>

Later on another page...

<jsp:useBean id="user" class="SessionBeans.UserSessionBean" scope="session"/>
<jsp:getProperty name="user" property="strParam"/>

<jsp:include>
Displays contents of another page within current. Only a problem if included page contains xss.

JSP Implicit Objects

There are a handful of objects made available in JSPs which are susceptible to security flaws. Their corresponding java class functions are used as is in scriptlets. All the same security rules should apply.

Implicit Object Java Class Relevant Functions
request javax.servlet.ServletRequest getParameter(String parametername)

getParameterValues()

getParameterMap()

session javax.servlet.http.HttpSession setAttribute()

getAttribute() removeAttribute()

out javax.servlet.jsp.JspWriter print(char[] s)

print(java.lang.String s)

println(java.lang.String x)

println(char[] x)

Examples:
saveinfo.jsp

<% 
    String name = request.getParameter("username");
    session.setAttribute("taintedAttribute", name);
%>

displayinfo.jsp

my xss varible: <%=session.getAttribute("taintedAttribute", name)%>

Unified EL

see also [J2EE Bad Practices: JSP Expressions]

JSTL Tags

JSTL Functions