Skip to main content

JSP ContextPath Link Manipulation - XSS

This post is about how to manipulate resource links of HTML elements (script, img, link, etc) when getContextPath method is used to obtain base path of resources. With the ability to manipulate links you can do XSS, CSS Injection, etc.

Basically we are going to use path parameters to manipulate context path such that links would point to attacker's domain. There's a good blog that talk about the similar issues :

However this post is more about manipulating context path to hijack resource links of HTML elementsSo let's have a look at a simple JSP page (test.jsp)

Ref :

This page just loads some resources like script, image, css and that's it. It doesn't take any direct input from user but it is using value returned by request.getContextPath() as base path to resources link.

What can we do here?

Let's try to control the base path by using path parameters :;pathParameter/contextPathExample/test.jsp

As you could see we are able to have a little control over the base path (of links) but it's not really useful right now unless we could manipulate the domain of links.

Now you might be thinking if we could break out of double quotes and inject new tag as :;pathParameter"><svg onload=alert()>/contextPathExample/test.jsp

Unfortunately it won't work because the characters like <,>," gets URL encoded as you can see below.

So what can we do?

As we can't inject HTML code so our goal now is to find a way to manipulate domain of links.

Everyone knows that we can provide resource URLs without protocol also, for example <img src=//> , here browser will take the protocol from the page URL and consider as domain and try to fetch the 1.jpeg from domain.  Let's try to do the same :;

Looks like additional forward slashes gets removed. If we try with backward slashes then server throws error. So this idea also failed.

But here's one interesting thing about getContextPath method, it does not URL encode the "&" character.  So we can simply encode forward slash character in HTML character entity as &sol; and then we can manipulate the domain of links as :;;/..;/..;/contextPathExample/test.jsp

Here src, action, etc are the attributes and browser decodes the value (HTML Entities) from attributes automatically before fetching the link hence &sol; becomes / and &num; becomes # and final link becomes : //

And boom!

We hijacked all the links of all HTML elements like script, link, form, img, etc. Just for example we injected "xss.js" file in script element's source and we got easy XSS.

That's it.


Post a Comment

Popular posts from this blog

U-XSS in OperaMini for iOS Browser (0-Day) [CVE-2019-13607]

TL;DR :  The latest version (16.0.14) of  Operamini for iOS browser is affected by an Universal-XSS vulnerability which can be triggered by performing navigation from target domain to attacker controlled domain. When attacker controlled domain returns " javascript:code_here " in " location " header then browser executes the javascript code in the context of target domain instead of attacker domain. This vulnerability is yet not fixed by Opera team.  Update [15 July 2019] :  CVE-2019-13607 is assigned to this vulnerability. So while playing with Operamini browser I noticed that when a navigation to " javascript " protocol occurs via " location " header then browser executes the provided javascript code. For example if the value of " location " header is " javascript:alert() " then javascript code "alert()" gets executed by the browser. Normally browsers prevent navigation to " javascript: " URL

Bug Bounty : Account Takeover Vulnerability POC

Hello, In this post I'm going to share how I could takeover users accounts. So, what was the vulnerability? Well , It was a very simple OAuth flaw which I could use to takeover users account with minimal user interaction. Cut the crap, Give me POC -_- Ok. users have an option to connect their facebook account to their account.  Once a user connects his facebook account to his account he does not need to enter his username/password to login instead he can simply click on "Sign in using Facebook" and he will be logged in (only if he is already logged in into his facebook account which he connected to his account) Ok all looks good let's see what happens in background when any user clicks on "Connect with Facebook" GET Request  :,