outputStream writing a byteArray - XSS validation

Asked

Viewed 85 times

2

I am working with a software that goes through a "Security Application" that indicates the lines of code that are potentially insecure (theoretically).

Based on the code below, the application signals the line of the outputStream.write() accusing of Improper Neutralization of Script-Related HTML Tags in a Web Page (Improper neutralization of code related to html tags on a web page)

response.addHeader("Content-Disposition","attachment; filename=" + Util.NeutralizeFileName(filename));
byte[] bytes = obj_Data.getBytes("File");
ServletOutputStream ouputStream = response.getOutputStream();
ouputStream.write(bytes, 0, bytes.length);
ouputStream.flush();
ouputStream.close();

I’m not actually writing a html but rather a downloadable file. What’s more, all "unreliable" data coming from the user is being validated and neutralised before being converted to the byte array.

So my question is, is this some kind of false Warning (False alert)? If not, what can I do to produce a appropriate validation?

1 answer

2


Not knowing the criterion used by the tool is tricky to speculate.

However, the above code may cause security problems because the file submitted via download could, in theory, have malicious content, from HTML to a virus executable that would be downloaded by a user.

I don’t know what the intelligence of the tool is, but maybe the warning is not inhibited if the headers Content-type, Content-transfer-encoding and Content-length are appropriately defined to represent the binary file.

The problem is that without the headers, the browser would have to "guess" which file type and this might be cause for alert.

However, ultimately, refer to the manual or support of the tool in question.

  • 1

    Your answer was quite helpful, especially the part where you say consulte o manual ou suporte da ferramenta em questão. The problem is that the tool does not understand the context in which the software is writing (i.e., it does not distinguish whether it is an HTML or a downloadable file). So it is not necessarily a false Warning but rather a purposeful behavior of the application of analysis.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.