Xss漏洞

Question

对于我的web应用程序，开发人员报告告诉我，我已经对Acunetix漏洞扫描仪进行了一次审计：

/referentiels-web/j_spring_cas_security_check
Details
URL encoded GET input ticket was set to ST-1664-V7HlBALHdSMeqYmAjHL9-passeport01.brgm-rec.fr'"()&%<acx><ScRiPt>qvVq(9803)</ScRiPt>
>qvVq(9803)</ScRiPt>
GET /referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05ECF865408DAC009A0DAF HTTP/1.1
Referer: https://myapp.com:443/referentiels-web/
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Host: Rgf-ref.brgm-rec.fr

但是当我试图复制这个xss漏洞时，我无法重现，为什么？

我的测试网址：

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?<sc ript>alert('test')</sc ript>

报告：

​

邮差：

​

authfailed.jsp:

<%@ page import="org.springframework.security.core.AuthenticationException" %>
<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.web.WebAttributes" %>

<html>
<head>
    <title>Login to CAS failed!</title>
</head>

<body>
<h2>Login to CAS failed!</h2>

<font color="red">
    Your CAS credentials were rejected.<br/><br/>
    Reason: <%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>
</font>

</body>
</html>

Answer 1

我可以从报告中看到脚本被设置为“票证”获取输入。

尝试使用这个url：

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=ST-1664-V7HlBALHdSMeqYmAjHL9-passeport01.brgm-rec.fr'"()&%<ScRiPt>alert('test')</ScRiPt>

或者是编码的，比如：

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=%53%54%2D%31%36%36%34%2D%56%37%48%6C%42%41%4C%48%64%53%4D%65%71%59%6D%41%6A%48%4C%39%2D%70%61%73%73%65%70%6F%72%74%30%31%2E%62%72%67%6D%2D%72%65%63%2E%66%72%27%22%28%29%26%25%3C%53%63%52%69%50%74%3E%61%6C%65%72%74%28%27%74%65%73%74%27%29%3C%2F%53%63%52%69%50%74%3E

或

https://myapp.com:443/referentiels-web/authfailed.jsp;jsessionid=83A16DB68D05EC‌​F865408DAC009A0DAF?ticket=U1QtMTY2NC1WN0hsQkFMSGRTTWVxWW1BakhMOS1wYXNzZXBvcnQwMS5icmdtLXJlYy5mciciKCkmJTxTY1JpUHQ+YWxlcnQoJ3Rlc3QnKTwvU2NSaVB0Pg==