Skip to Content

XSS attack in sap portal pdk object

Hi all,

I have created a portal pdk project and configured it for anonymous access . The project accepts the question id through query string as below

http://myportal.com/irj/portal/anonymous/questions?questionid=2;

but due to this there is a possibility for some XSS attacks for example

http://myportal.com/irj/portal/anonymous/questions?questionid=18c78b0'-alert('XSS_INJECTION')-'e3a1f

this gives me a pop up XSS_INJECTION. even though i sanitized the questionid in java code . the Javascript function alert is executed first and the URL hits the Particular servlet/pdk object then.

How can i solve the above issue for removing XSS attacks can that can be handled from Code?

Please do the needful.

Regards

Prasad

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Dec 30, 2014 at 04:14 PM

    Hi Prasad,

    Have you tried to send the parameters in the request via http POST?

    Best regards,

    Etay

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Dec 31, 2014 at 07:46 AM

    Hi Prasad,

    In your component, before returning the response to client you should use the XSSEncoder to encode your output properly.

    If its going to HTML you should use XSSEncoder.encodeHTML.

    See for example here:

    SAP Encoding Functions for AS Java and JavaScript - Secure Programming - SAP Library

    BR,

    Tal

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.