Title: Medium severity CWE-79 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01584.java:52 (1 additional file changed) by appsecai-inte-tool[bot] · Pull Request #340 · AppSecureAI/BenchmarkJava100-public · GitHub
Open Graph Title: Medium severity CWE-79 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01584.java:52 (1 additional file changed) by appsecai-inte-tool[bot] · Pull Request #340 · AppSecureAI/BenchmarkJava100-public
X Title: Medium severity CWE-79 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01584.java:52 (1 additional file changed) by appsecai-inte-tool[bot] · Pull Request #340 · AppSecureAI/BenchmarkJava100-public
Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fceb7 Vulnerability: Cross-Site Scripting CWE Classification: CWE-79 Severity: Medium File: src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01584.java Detection Rule: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer Description: Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views. Triage Analysis Status: Confirmed vulnerability Security Assessment: Severity: High Confidence: 100% Analysis User input from request.getParameterValues() flows through param → bar → response.getWriter().format() without any HTML encoding. The user-controlled value is used as the format string itself and written directly to an HTML response (Content-Type: text/html). An attacker can inject arbitrary JavaScript (e.g., ) which executes in the victim's browser. The X-XSS-Protection: 0 header explicitly disables browser-level XSS filtering, removing a defense layer. Recommended Remediation Apply context-appropriate output encoding before writing user input to the response. Use OWASP Java Encoder: String safe = Encode.forHtml(bar); response.getWriter().write(safe); Alternatively, use a templating engine (JSP/JSF) with automatic escaping. Remove the X-XSS-Protection: 0 header. Consider implementing Content Security Policy headers for defense-in-depth. Remediation Details Fix Description: Fix Summary The Cross-Site Scripting (XSS) vulnerability has been successfully remediated in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01584.java. Changes made: Added OWASP Java Encoder import (line 26): import org.owasp.encoder.Encode; HTML-escaped user input (line 53): Changed from response.getWriter().format(java.util.Locale.US, bar, obj); to response.getWriter().format(java.util.Locale.US, Encode.forHtml(bar), obj); Added dependency to pom.xml: OWASP Java Encoder 1.3.1 Security improvement: The Encode.forHtml() method converts dangerous HTML metacharacters into safe HTML entities: < → < > → > " → " ' → ' & → & This prevents attackers from injecting malicious JavaScript through the BenchmarkTest01584 request parameter, as the injected code is rendered as text rather than executed in the victim's browser. bug_fix_explanation: The code wrote user-controlled input (bar, derived from request parameter BenchmarkTest01584) directly to the HTTP response without HTML escaping. This created a reflected XSS vulnerability where attackers could inject malicious JavaScript (e.g., ) that executes in victims' browsers, enabling session hijacking, credential theft, and other attacks. Fixed by wrapping the user input in Encode.forHtml() before writing to the response. This converts HTML special characters to safe entities, rendering injected code as harmless text. OWASP Java Encoder is the industry-standard library for output encoding and provides context-specific encoding methods that prevent XSS attacks comprehensively. The fix maintains complete API compatibility—all method signatures, return types, and functional behavior remain unchanged. The only difference is that HTML special characters in user input are now properly escaped, which is the correct and expected behavior for web applications. Changes Made: Updated source code with secure implementation Updated 1 additional file (dependencies, configurations, etc.) This PR was generated automatically to address a security vulnerability. Please review the changes carefully before merging.
Open Graph Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fceb7 Vulnerability: Cross-Site Scripting CWE Classification: CWE-79 Severity: Medium File: src/main/java/org/owasp/benchmark...
X Description: Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fceb7 Vulnerability: Cross-Site Scripting CWE Classification: CWE-79 Severity: Medium File: src/main/java/org/owasp/benchmark...
Opengraph URL: https://github.com/AppSecureAI/BenchmarkJava100-public/pull/340
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:70278400-5e82-7c78-4cd0-da70f1fae443 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 860C:1D1BFA:1AE56D4:2361643:6A5C832D |
| html-safe-nonce | 65be87f70698cb6a76b7941e2a674ae12a70603bee7562ae354cd69bfc97d8ab |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NjBDOjFEMUJGQToxQUU1NkQ0OjIzNjE2NDM6NkE1QzgzMkQiLCJ2aXNpdG9yX2lkIjoiNTY4MTIyNDQxMTI1ODg0ODA0NSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 80bb0b34373625685dcd4863c1e7d9965c2c7d087379ec83365d99a4a9c6bc2a |
| hovercard-subject-tag | pull_request:3004744994 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/AppSecureAI/BenchmarkJava100-public/pull/340/files |
| twitter:image | https://avatars.githubusercontent.com/u/148882153?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/148882153?s=400&v=4 |
| og:image:alt | Vulnerability Information AppSecAI Vulnerability ID: 6914fa3a28b9e848644fceb7 Vulnerability: Cross-Site Scripting CWE Classification: CWE-79 Severity: Medium File: src/main/java/org/owasp/benchmark... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5290d7e14309ad1e76106a9c4237bd1041517e83ea182c8ab756752cb0c6940b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/AppSecureAI/BenchmarkJava100-public git https://github.com/AppSecureAI/BenchmarkJava100-public.git |
| octolytics-dimension-user_id | 148882153 |
| octolytics-dimension-user_login | AppSecureAI |
| octolytics-dimension-repository_id | 1095020699 |
| octolytics-dimension-repository_nwo | AppSecureAI/BenchmarkJava100-public |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1095020699 |
| octolytics-dimension-repository_network_root_nwo | AppSecureAI/BenchmarkJava100-public |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9c975978430e9ad293956f2bbdaf153b1bd84a99 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width