Created
October 20, 2015 06:16
-
-
Save baraths84/78eeea289f0e43e08c44 to your computer and use it in GitHub Desktop.
XSS 1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
try | |
{ | |
HttpSession ses = request.getSession(true); | |
if(Validate.validateSession(ses)) | |
{ | |
ShepherdLogManager.setRequestIp(request.getRemoteAddr(), request.getHeader("X-Forwarded-For"), ses.getAttribute("userName").toString()); | |
log.debug(levelName + " accessed by: " + ses.getAttribute("userName").toString()); | |
Cookie tokenCookie = Validate.getToken(request.getCookies()); | |
Object tokenParmeter = request.getParameter("csrfToken"); | |
if(Validate.validateTokens(tokenCookie, tokenParmeter)) | |
{ | |
String searchTerm = request.getParameter("searchTerm"); | |
log.debug("User Submitted - " + searchTerm); | |
String htmlOutput = new String(); | |
if(FindXSS.search(searchTerm)) | |
{ | |
String theHash = this.getClass().getSimpleName(); | |
log.debug("XSS Lesson Completed!"); | |
Encoder encoder = ESAPI.encoder(); | |
htmlOutput = "<h2 class='title'>" + bundle.getString("result.wellDone") + "</h2>" + | |
"<p>" + bundle.getString("result.youDidIt") + "<br />" + | |
"" + bundle.getString("result.resultKey") + | |
Hash.generateUserSolution(Getter.getModuleResultFromHash(getServletContext().getRealPath(""), levelHash), (String)ses.getAttribute("userName")); | |
} | |
log.debug("Adding searchTerm to Html: " + searchTerm); | |
htmlOutput += "<h2 class='title'>" + bundle.getString("response.searchResults") + "</h2>" + | |
"<p>" + bundle.getString("response.noResults") + " '" + | |
searchTerm + | |
"'</p>"; | |
log.debug("Outputting HTML"); | |
out.write(htmlOutput); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment