PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  • Java Example
  • JavaScript Example
  1. DevSecOps
  2. Secure Coding
  3. Code Review Examples

XSS

Vulnerable Code:

Java Example:

@WebServlet("/search")
public class SearchServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String query = request.getParameter("q");
        PrintWriter out = response.getWriter();
        out.println("<html><body>");
        out.println("<h1>Search Results for: " + query + "</h1>");
        out.println("</body></html>");
    }
}

Reason for Vulnerability:

The user input (query) is directly embedded into the HTML output without any sanitization, allowing potential injection of malicious scripts.

Fixed Code:

javaCopyimport org.owasp.encoder.Encode;

@WebServlet("/search")
public class SearchServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String query = request.getParameter("q");
        PrintWriter out = response.getWriter();
        out.println("<html><body>");
        out.println("<h1>Search Results for: " + Encode.forHtml(query) + "</h1>");
        out.println("</body></html>");
    }
}

Reason for Fix:

The fixed code uses the OWASP Java Encoder library to properly encode the user input for HTML context, preventing XSS attacks.

Java Example

Vulnerable Code:

javaCopy@Controller
public class CommentController {
    @PostMapping("/addComment")
    public String addComment(@RequestParam String comment, Model model) {
        model.addAttribute("latestComment", comment);
        return "comments";
    }
}

<!-- comments.html -->
<div th:utext="${latestComment}"></div>

Reason for Vulnerability:

The Thymeleaf template uses th:utext to render the comment, which does not escape HTML entities, allowing potential XSS attacks.

Fixed Code:

javaCopy@Controller
public class CommentController {
    @PostMapping("/addComment")
    public String addComment(@RequestParam String comment, Model model) {
        model.addAttribute("latestComment", comment);
        return "comments";
    }
}

<!-- comments.html -->
<div th:text="${latestComment}"></div>

Reason for Fix:

The fixed code uses th:text instead of th:utext in the Thymeleaf template. This automatically escapes HTML entities, preventing XSS attacks.

JavaScript Example

Vulnerable Code:

javascriptCopyconst express = require('express');
const app = express();

app.get('/welcome', (req, res) => {
    const name = req.query.name;
    res.send(`<h1>Welcome, ${name}!</h1>`);
});

app.listen(3000, () => console.log('Server running on port 3000'));

Reason for Vulnerability:

The user input (name) is directly inserted into the HTML response without any sanitization, allowing potential XSS attacks.

Fixed Code:

javascriptCopyconst express = require('express');
const escapeHtml = require('escape-html');
const app = express();

app.get('/welcome', (req, res) => {
    const name = req.query.name;
    res.send(`<h1>Welcome, ${escapeHtml(name)}!</h1>`);
});

app.listen(3000, () => console.log('Server running on port 3000'));

Reason for Fix:

The fixed code uses the escape-html package to sanitize the user input before inserting it into the HTML response, preventing XSS attacks.

Reflected XSS in JavaScript

Vulnerability: Reflected Cross-Site Scripting (XSS)

Vulnerable Code:

javascriptCopy codeconst userInput = getParameterByName('input');
document.getElementById('output').innerHTML = userInput;

Reason for vulnerability: Directly inserting user input into the HTML without sanitization or encoding.

Fixed Code:

javascriptCopy codeconst userInput = getParameterByName('input');
document.getElementById('output').innerText = userInput;

Reason for fix: Using innerText instead of innerHTML escapes the input, preventing XSS.

Stored XSS in Java

Vulnerability: Stored Cross-Site Scripting (XSS)

Vulnerable Code:

javaCopy codeString comment = request.getParameter("comment");
response.getWriter().println(comment);

Reason for vulnerability: User input is directly displayed in the response without encoding, allowing malicious scripts to be executed.

Fixed Code:

javaCopy codeString comment = request.getParameter("comment");
response.getWriter().println(StringEscapeUtils.escapeHtml4(comment));

Reason for fix: Escaping the user input using StringEscapeUtils.escapeHtml4 ensures that any HTML or JavaScript code in the input is neutralized.

Python (Flask)

Vulnerable Code:

pythonCopy code@app.route('/greet')
def greet():
    name = request.args.get('name')
    return f'Hello {name}'

Reason for vulnerability: User input is directly included in the response, allowing XSS.

Fixed Code:

pythonCopy code@app.route('/greet')
def greet():
    name = request.args.get('name')
    return f'Hello {escape(name)}'

Reason for fix: Escape user input before including it in the response.

PreviousSQLiNextXXE

Last updated 9 months ago