Skip to main content

Posts

Showing posts from 2020

JSP ContextPath Link Manipulation - XSS

This post is about how to manipulate resource links of HTML elements (script, img, link, etc) when getContextPath method is used to obtain base path of resources. With the ability to manipulate links you can do XSS, CSS Injection, etc.

Basically we are going to use path parameters to manipulate context path such that links would point to attacker's domain. There's a good blog that talk about the similar issues : https://superevr.com/blog/2011/three-semicolon-vulnerabilities

However this post is more about manipulating context path to hijack resource links of HTML elementsSo let's have a look at a simple JSP page (test.jsp)


This page just loads some resources like script, image, css and that's it. It doesn't take any direct input from user but it is using value returned by request.getContextPath() as base path to resources link.

What can we do here?

Let's try to control the base path by using path parameters :

http://127.0.0.1:8080/;pathParameter/contextPathEx…