Summary #

Invicti detected that the Spring web application is configured to disable the automatic HTML escaping for Spring tags which may lead to Cross-Site Scripting vulnerabilities.

Impact #

Disabling the automatic HTML escaping for Spring tags may lead to Cross-Site Scripting vulnerabilities.

Actions To Take #

It's recommended to enable HTML escaping for Spring tags. This can be configured from web.xml like in the example below:

<web-app>
    ...
 <context-param>
  <param-name>defaultHtmlEscape</param-name>
  <param-value>true</param-value>
    </context-param>
    ...
</web-app>

At page level, it is defined as a tag-declaration.

  <spring:htmlEscape defaultHtmlEscape="true" />
Classifications #
CWE-16; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo