Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Demonstration of HTTP Parameter Pollution in a Servlet and dangers of rendering decoded URLs
import org.apache.http.client.utils.URIBuilder;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.net.URLEncoder;
/**
* Created by jaxley on 2/3/16.
*/
@WebServlet(name = "HelloRequestData", urlPatterns = {"/HelloRequestData"})
public class HelloRequestData extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {
response.setContentType("text/html");
response.setBufferSize(8192);
PrintWriter out = response.getWriter();
out.println("<html><head><title>RequestData</title></head>");
String body = "<body>" +
"<ul>" +
"<li>Raw request URI: " + request.getRequestURI() + " (<a href=\"" + request.getRequestURI() + "\">clickable</a>)</li>" +
"<li>Raw request URL: " + request.getRequestURL() + "</li>" +
"</ul>" +
"<h2>DECODED: DANGER LIES AHEAD!</h2>" +
"<ul>" +
"<li>Decoded request URI: " + decodeUri(request.getRequestURI()) + " (<a href=\"" + decodeUri(request.getRequestURI()) + "\">clickable</a>)</li>" +
"<li>Decoded request URL: " + decodeUri(request.getRequestURL().toString()) + "</li>" +
"</ul>" +
"<p>Request.getParameter(poll): " + request.getParameter("poll") +
"<br/>Request.getParameter(candidate): " + request.getParameter("candidate") + "</p>" +
"HTTP Parameter Pollution Vulnerability via 'poll' parameter (force an encoded query string value into a URL): " +
"<br/><a href=\"" + request.getRequestURI() + "?poll=president%26candidate%3DJeff\">Click to Demonstrate Pollution</a> - via encoded candidate=Jeff smuggled into the 'Polluted URL' below";
if (request.getParameter("poll") != null) {
try {
URIBuilder builder = new URIBuilder(request.getRequestURI());
String pollParameter = request.getParameter("poll");
// demonstrating that pollParameter is now automatically decoded, so if it was previously encoded, it now may contain query string metacharacters
// allows someone to smuggle http parameters in and change control flow of the application
// Imagine someone emailing a link to a poll but when the user clicks
String candidate = request.getParameter("candidate");
if (candidate != null) {
body += "<p><h2>Thank you for voting for " + candidate + "</h2></p>";
}
builder.setParameter("poll", pollParameter);
body += "<p><br/><a href=\"" + request.getRequestURI() + "?poll=" + request.getParameter("poll") + "\">Click Here to Vote: Polluted URL</a> - URL built using query parameters that smuggle values in so is polluted. Will smuggle candidate=Jeff when clicked." +
"<br/><a href=\"" + request.getRequestURI() + "?poll=" + URLEncoder.encode(request.getParameter("poll"), "UTF-8") + "\" >Click Here to Vote: Not Polluted (safe - URLEncoder)</a> - build using encoded query parameters."+
"<br/><a href=\"" + builder.toString() + "\" >Click Here to Vote: Not Polluted (safe - URIBuilder)</a> - build using encoded query parameters.</p>";
} catch (URISyntaxException e) {
e.printStackTrace();
}
}
body += "</body>";
out.println(body);
out.println("</html>");
out.close();
}
private String decodeUri(String uri) throws UnsupportedEncodingException {
return URLDecoder.decode(uri, "UTF-8");
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.