Skip to content

Security Cipher

  • Home
  • Blog
  • About Us
  • Resources
    • Security Terminologies
    • Vulnerability Explain
    • Secure Code Explain
    • Linux Commands
    • AWS Cloud Security Checklist
  • My Resume
Contact Us

Secure Code Explain

  • DOM Cross-Site-Scripting (XSS)
  • Stored Cross-Site-Scripting (XSS)
  • Reflected Cross-Site-Scripting (XSS)
  • SQL Injection
  • XXE Injection
  • Remote File Inclusion (RFI)
  • Local File Inclusion
  • Clickjacking
  • Remote Code Execution (RCE)
  • Insecure direct object references (IDOR)
  • Secure Cookie not set
  • Log Injection
  • Cross-Site Request Forgery (CSRF)
  • HttpOnly Flag not set

Vulnerability Explain

  • SQL Injection
  • Cross-Site-Scripting (XSS)
  • Home
  • Secure Code Explain
  • Reflected Cross-Site-Scripting (XSS)

Reflected Cross-Site-Scripting (XSS)

Table of Contents
  • ๐Ÿฅบ Vulnerable Code
  • ๐Ÿ˜Ž Secure Code

Here is an example of Java code that is vulnerable to reflected cross-site scripting (XSS) attacks on a search page:

๐Ÿฅบ Vulnerable Code #

String searchTerm = request.getParameter("term"); 
out.println("<h1>Search Results for: " + searchTerm + "</h1>");

This code takes the user-provided search term and reflects it back to the user in the search results header. An attacker could inject malicious JavaScript code into the search term, which would then be executed by the victim’s browser when they view the search results.

๐Ÿ˜Ž Secure Code #

To secure this code against XSS attacks, we can use the “escapeHtml4“ method from the “org.apache.commons.text.StringEscapeUtils” class to encode the search term as HTML. This will prevent the injected JavaScript code from being executed by the browser:

import org.apache.commons.text.StringEscapeUtils;
...
String searchTerm = request.getParameter("term");
searchTerm = StringEscapeUtils.escapeHtml4(searchTerm);
out.println("<h1>Search Results for: " + searchTerm + "</h1>");

This will ensure that any HTML or JavaScript code injected into the search term is displayed as plain text, rather than being executed as code.

Share This Article :
  • Facebook
  • Twitter
  • LinkedIn
  • Pinterest
Stored Cross-Site-Scripting (XSS)SQL Injection

Leave a Reply Cancel reply

Table of Contents
  • ๐Ÿฅบ Vulnerable Code
  • ๐Ÿ˜Ž Secure Code
logo name

Learn penetration Testing …

Instagram Twitter Youtube Telegram Linkedin

Useful Links

Blogs
About
Contact

Recent Post

  • Threat Modeling : Everything You Need to Know for Web Application Security
  • How to Conduct a Successful Penetration Test: A Step-by-Step Guide
  • OSV-Scanner: Protecting Your Open-Source Dependencies

Subscribe Now

Donโ€™t miss our future updates! Get Subscribed Today!

Subscription Form

By entering your email, you agree to our terms & Conditions and Privacy policy.

ยฉ2023. Security Cipher. All Rights Reserved.

Privacy Policies
Terms & Conditions