Java Server Pages(JSP) currently can define tag definitions through the Standard Tag Library (JSTL). One of the tag functions is the ability to disable escapeXml which could potentially be dangerous in Cross-Site Scripting attacks. By disabling escapeXml an attacker can manipulate an XML document which is reflected within a client browser and inject HTML and/or Javascript syntax.

Impact of JSP JSTL Out

Exploiting the Standard Tag Library leading to a successful Cross Site Scripting (XSS) attack results in javascript code running in a users browser without their knowledge. That code then reads the session cookie of a logged in session to their bank, work account, or any other account they have a session with. Once in possession of the session cookie, the malicious code then transmits that value to the attacker who can then connect to the site with that session cookie assuming the role of the original user. Now the attacker can do anything as that user.

Fixes for JSP JSTL Out

All data elements rendered within response content must be properly encoded to ensure the data is not interpreted as markup code by the user’s web browser. Depending on where within the response the data is rendered, one of the following encoding methods should be used: HTML: HtmlEncoding should be used to escape all rendered output. For example, script tags are escaped by replacing the < and > characters with < and >. JavaScript: Data rendered within JavaScript code can be encoded into the format \xDD where DD is the hexadecimal value of the ASCII character. This causes the encoded characters to be taken literally by the browser, rather than interpreted as meta characters. URL: Data rendered within a URL should be URLEncoded into the format %DD, where DD is the hexadecimal value of the ASCII character. HTML Attributes: Properly quoted attributes can only be escaped with the corresponding quote. Ensure that the attribute is quoted and that any quotes within the data value are encoded. Most development platforms have a native encoding mechanism that can be leveraged to perform the above encodings. Additionally, there are a number of publicly available APIs that provide encoding functionality.

Specifically,

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.test_param}" escapeXml="false"/>

must be changed to,

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.test_param}"/>

Want to check your projects for free?

References

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Tutorial Point: JSTL fn:escapeXml definition
Oracle: JSTL core Tag out