CGI_Reflected_XSS_All_Clients @ BenchmarkTest00134.java

[joaoreis-cx]

CGI_Reflected_XSS_All_Clients issue exists @ BenchmarkTest00134.java in branch master

The method doPost embeds untrusted data in generated output with println, at line 82 of /src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00134.java. This untrusted data is embedded into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the generated web-page.

The attacker would be able to alter the output data by simply sending modified values in the user input getHeader, which is read by the doPost method at line 45 of /src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00134.java. This input then flows through the code, and written to the console or STDOUT, without sanitization. In some scenarios, this output will also be sent back to the user's browser. 

This can enable a Reflected Cross-Site Scripting (XSS) attack if the code's console output is used by the application as part of a web-page, as often occurs with CGI scripts.

Namespace: joaoreis-cx
Repository: test1
Repository Url: https://github.com/joaoreis-cx/test1
CxAST-Project: joaoreis-cx/test1
CxAST platform scan: 53506292-d41c-434c-8792-e513700a84e7
Branch: master
Application: test1
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
CWE: 79
Lines: 45

---

References
Read more