60 lines
1.8 KiB
Plaintext
60 lines
1.8 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Setting the wrong Content-Type for a response can leave an application vulnerable to cross-site scripting attacks. Specifically, JSON should always be served with the ``++application/json++`` Content-Type.
|
|
|
|
|
|
This rule checks the Content-Type of responses containing classes in the ``++org.json++`` and ``++javax.json++`` packages.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
public void doGet(HttpServletRequest request, HttpServletResponse response) {
|
|
JSONObject jsonRespone = getJsonResponse(request);
|
|
|
|
try {
|
|
response.setContentType("text/html"); // Noncompliant; wrong type
|
|
PrintWriter out = response.getWriter();
|
|
out.println(jsonResponse.toJSONString());
|
|
out.close();
|
|
} catch (IOException e) {
|
|
e.printStackTrace();
|
|
}
|
|
}
|
|
|
|
public void doPost(HttpServletRequest request, HttpServletResponse response) { // Noncompliant; response type not set
|
|
JSONObject jsonRespone = getJsonResponse(request);
|
|
|
|
try {
|
|
PrintWriter out = response.getWriter();
|
|
out.println(jsonResponse.toJSONString());
|
|
out.close();
|
|
} catch (IOException e) {
|
|
e.printStackTrace();
|
|
}
|
|
}
|
|
----
|
|
|
|
|
|
:link-with-uscores1: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
|
|
|
|
== Resources
|
|
|
|
* OWASP - https://owasp.org/Top10/A03_2021-Injection/[Top 10 2021 Category A3 - Injection]
|
|
* OWASP - https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[Top 10 2017 Category A7 - Cross-Site Scripting (XSS)]
|
|
* {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
The Content-Type of this response is "xxx".
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|