Java Server Pages (JSP) allows the ability to include dynamic values within its file definition to be rendered by the server at runtime. A feature of JSP pages is to have the ability to include files via the jsp:include or c:import tag. If the tag is rendered on the server with an unvalidated user input this will give the ability of the user to specify content from the hosting server or even from a remote site. The impact of the exploit can lead to information leakage

Fixes for JSP Include

By injecting unsanitized user input the user will be able to fetching what might be accessible from the host system

<%
   String p = request.getParameter("p");
   @include file="<%="includes/" + p +".jsp"%>"
%>

Sending a HTTP request with parameters ‘p’, an attacker can retrieve the password file from the local file system

/vulnerable.jsp?p=/../../database/passwordDB

Solution: Listed below are recommendations to fix unsanitized user inputs being included within JSP

  • All-together disallow user inputs from being populated within the file include for JSP
  • Disallow user input for file system calls
  • Use enum/integers to translate user input into sane values, e.g. 1 = ‘en-ca’, 2 = ‘en-us’, etc.
  • Only allow users to partially specify file path
  • Jail file or code access with such mechanisms as chroot jails for fetching and saving files

Want to check your projects for free?

References

InfoSec Institute: Dangerous File Inclusion Attacks
Stack Overflow: File Inclusion Local Vulnerability Protection
Wikipedia: Definition of File Inclusion Vulnerability
OWASP: Testing for Local File Inclusion