Test case 145076

Type: source code
State: mixed
Status: candidate
Language: Java
Submission Date: 21 May 2013

Description

CWE: 80 Cross Site Scripting (XSS)
BadSource: getQueryString_Servlet Parse id param out of the URL query string (without using getParameter())
GoodSource: A hardcoded string
BadSink: Display of data in web page after using replaceAll() to remove script tags, which will still allow XSS (CWE 182: Collapse of Data into Unsafe Value)
Flow Variant: 51 Data flow: data passed as an argument from one function to another in different classes in the same package

Flaws

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Test Suites

Juliet Java 1.3 with extra support
Juliet Java 1.2
Juliet Java 1.2 with extra support
Juliet Java 1.3

Documentation

Juliet 1.3 Test Suite: Changes From 1.2
Release Log for Juliet 1.3
Juliet v1.2 for Java cases.pdf

Have any comments on this test case? Please, send us an email.