Cross-site scripting (XSS) via HttpServletRequest data in HttpServletResponse writer

High Risk cross-site-scripting
javaservlethttpservletresponsexssweb

What it is

XSS vulnerability in Java web applications where untrusted data from HttpServletRequest is written directly to HttpServletResponse without context-appropriate HTML encoding or escaping, allowing attackers to inject malicious scripts that execute in user browsers.

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;

public class VulnerableServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        String userName = request.getParameter("user");
        String searchQuery = request.getParameter("q");
        
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        
        // VULNERABLE: Direct output without encoding
        out.println("<html><body>");
        out.println("<h1>Hello " + userName + "!</h1>");
        out.println("<p>Search: " + searchQuery + "</p>");
        out.println("</body></html>");
    }
}

// Attack: ?user=<script>alert('XSS')</script>
import org.owasp.encoder.Encode;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;

public class SecureServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        String userName = request.getParameter("user");
        String searchQuery = request.getParameter("q");
        
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        
        // SECURE: Encode all user input
        out.println("<html><body>");
        out.println("<h1>Hello " + Encode.forHtml(userName) + "!</h1>");
        out.println("<p>Search: " + Encode.forHtml(searchQuery) + "</p>");
        out.println("</body></html>");
    }
}

💡 Why This Fix Works

The vulnerable code writes request parameters directly to the response without HTML encoding, allowing XSS attacks. The fixed version uses OWASP Encoder's Encode.forHtml() to properly escape all user input before writing to the response.

Why it happens

Request parameters are written directly to the response without HTML encoding.

Root causes

Unescaped Request Parameters

Request parameters are written directly to the response without HTML encoding.

Direct Response Writer Usage

Using HttpServletResponse.getWriter() to output user data bypasses framework protections.

Fixes

1

Use OWASP Encoder for HTML Context

Encode all untrusted data using OWASP Encoder before writing to the response.

2

Use Framework Templates with Auto-Escaping

Use template engines that automatically escape output by default (JSP with c:out, Thymeleaf, etc.).

3

Context-Specific Encoding

Use appropriate encoding based on the output context (HTML body, attributes, JavaScript, etc.).

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) via httpservletrequest data in httpservletresponse writer and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities