CSRF-Protection for JSP


OPT.JSP.SEC_JSP.FileInclusionVulnerability

JSP technology provides the <jsp:include> action (or JSTL <c:import>) for including content in the current page, either from a local (web application) resource or from an URL, respectively.

When the page path or URL is formed using untrusted input, an attacker may provide the input in the HTTP request to force the J2EE application server to include an unintended resource, which opens the way to either sensitive local file disclosure (like a /WEB-INF configuration file), or catastrophic remote file injection (e.g. remote attacker-controlled content with embedded malicious JavaScript code for CSRF attacks, or Java code in scriptlet to execute unexpected server-side operations, including operating system commands).

Kiuwan provides the rule OPT.JSP.SEC_JSP.FileInclusionVulnerability that avoids unintended leakage of sensitive local/remote files, or remote file include attacks, in JSP dynamic include actions.


Use the "compile-time" <%@ include %> directive, if the included page is local and non dynamic.

If included page should be dynamic, never let untrusted input to directly form part of the page path (for <jsp:include>) or page URL (for <c:import>). Better use a request attribute, set in the request processing server-side controller class, where the dynamic page is selected (but untrusted input should not be part of the page path/url anyway).

A "white-list" validation scheme (untrusted input may be used only to select from a known list of allowed pages) could be used as well.