java.lang.NumberFormatException: For input string: \"1<iframe src=javascript:alert(26748) \"

Apereo Issues | Ken Maruyama | 4 years ago
  1. 0

    We use a security software that will scan our web applications, and it detected a cross-site scripting security issue with severity high. I'm not sure if this is a real security concern because it doesn't appear that the browser will actually execute the javascript that gets embedded to the http response. However at least it is something that a security software detects it as a cross-site scripting security issue. And some organizations like ours are very sensitive to what the security software reports. It might be worth to at least not make any valid Javascript code appear in the http response. At the end of the message I will put what the security software put in the report. Here is how to replicate this: Use url: /login?execution=e2s1%3Ciframe+src%3Djavascript%3Aalert%2826748% 29+ The result will be this displayed on the browser: {"exception.message":"org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1<iframe src=javascript:alert(26748) ', the expected format is 'e<executionId>s<snapshotId>'","exception.stacktrace":"org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1<iframe src=javascript:alert(26748) ', the expected format is 'e<executionId>s<snapshotId>'\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseSnapshotId(AbstractFlowExecutionRepository.java:221)\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseFlowExecutionKey(AbstractFlowExecutionRepository.java:120)\r\n\tat org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164)\r\n\tat org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)\r\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)\r\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:617)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:717)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)\r\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)\r\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)\r\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\r\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\r\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)\r\n\tat org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)\r\n\tat org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)\r\n\tat org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: java.lang.NumberFormatException: For input string: \"1<iframe src=javascript:alert(26748) \"\r\n\tat java.lang.NumberFormatException.forInputString(Unknown Source)\r\n\tat java.lang.Integer.parseInt(Unknown Source)\r\n\tat java.lang.Integer.valueOf(Unknown Source)\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseSnapshotId(AbstractFlowExecutionRepository.java:219)\r\n\t... 33 more\r\n","failure":"true"} Report generated by the security application: [1 of 4] Cross-Site Scripting Severity: High Test Type: Application Vulnerable URL: https://xxx.xxx.xxx.xxx/cas-server-webapp-3.5.1/login (Parameter: execution) CVE ID(s): N/A CWE ID(s): 79 (parent of 82,83) Remediation Tasks: Review possible solutions for hazardous character injection Variant 1 of 9 [ID=12556] The following changes were applied to the original request: • Set parameter 'execution's value to 'e2s1%3Ciframe+src%3Djavascript%3Aalert%2826748% 29+' Request/Response: This request/response contains binary content, which is not included in generated reports. Validation In Response: • alert(26748) Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.

    Apereo Issues | 4 years ago | Ken Maruyama
    java.lang.NumberFormatException: For input string: \"1<iframe src=javascript:alert(26748) \"
  2. 0

    We use a security software that will scan our web applications, and it detected a cross-site scripting security issue with severity high. I'm not sure if this is a real security concern because it doesn't appear that the browser will actually execute the javascript that gets embedded to the http response. However at least it is something that a security software detects it as a cross-site scripting security issue. And some organizations like ours are very sensitive to what the security software reports. It might be worth to at least not make any valid Javascript code appear in the http response. At the end of the message I will put what the security software put in the report. Here is how to replicate this: Use url: /login?execution=e2s1%3Ciframe+src%3Djavascript%3Aalert%2826748% 29+ The result will be this displayed on the browser: {"exception.message":"org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1<iframe src=javascript:alert(26748) ', the expected format is 'e<executionId>s<snapshotId>'","exception.stacktrace":"org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1<iframe src=javascript:alert(26748) ', the expected format is 'e<executionId>s<snapshotId>'\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseSnapshotId(AbstractFlowExecutionRepository.java:221)\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseFlowExecutionKey(AbstractFlowExecutionRepository.java:120)\r\n\tat org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164)\r\n\tat org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:183)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)\r\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)\r\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)\r\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:617)\r\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:717)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:128)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:57)\r\n\tat org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)\r\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)\r\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)\r\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)\r\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\r\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\r\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)\r\n\tat org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)\r\n\tat org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)\r\n\tat org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)\r\n\tat java.lang.Thread.run(Unknown Source)\r\nCaused by: java.lang.NumberFormatException: For input string: \"1<iframe src=javascript:alert(26748) \"\r\n\tat java.lang.NumberFormatException.forInputString(Unknown Source)\r\n\tat java.lang.Integer.parseInt(Unknown Source)\r\n\tat java.lang.Integer.valueOf(Unknown Source)\r\n\tat org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseSnapshotId(AbstractFlowExecutionRepository.java:219)\r\n\t... 33 more\r\n","failure":"true"} Report generated by the security application: [1 of 4] Cross-Site Scripting Severity: High Test Type: Application Vulnerable URL: https://xxx.xxx.xxx.xxx/cas-server-webapp-3.5.1/login (Parameter: execution) CVE ID(s): N/A CWE ID(s): 79 (parent of 82,83) Remediation Tasks: Review possible solutions for hazardous character injection Variant 1 of 9 [ID=12556] The following changes were applied to the original request: • Set parameter 'execution's value to 'e2s1%3Ciframe+src%3Djavascript%3Aalert%2826748% 29+' Request/Response: This request/response contains binary content, which is not included in generated reports. Validation In Response: • alert(26748) Reasoning: The test result seems to indicate a vulnerability because Appscan successfully embedded a script in the response, which will be executed when the page loads in the user's browser.

    Apereo Issues | 4 years ago | Ken Maruyama
    java.lang.NumberFormatException: For input string: \"1<iframe src=javascript:alert(26748) \"
  3. 0

    Landsize value is not validated

    GitHub | 5 years ago | sorklin
    org.bukkit.command.CommandException: Unhandled exception executing command 'mv' in plugin Multiverse-Core v2.0-b271
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    Windows : stack in getTerminalWidth

    GitHub | 4 years ago | nanocom
    java.lang.NumberFormatException: For input string: "200x300 (200x80)"
  6. 0

    Pathways are no longer loaded

    GitHub | 3 years ago | cpartl
    java.lang.NumberFormatException: For input string: "5578+mmu:18750"

  1. DoktorDoener666 1 times, last 3 weeks ago
  2. serious2monkeys 6 times, last 4 weeks ago
  3. maxxi 2 times, last 1 month ago
  4. maxxi 4 times, last 2 months ago
  5. Piz 3 times, last 4 months ago
7 more registered users
15 unregistered visitors
Not finding the right solution?
Take a tour to get the most out of Samebug.

Tired of useless tips?

Automated exception search integrated into your IDE

Root Cause Analysis

  1. java.lang.NumberFormatException

    For input string: \"1<iframe src=javascript:alert(26748) \"

    at java.lang.NumberFormatException.forInputString()
  2. Java RT
    Integer.valueOf
    1. java.lang.NumberFormatException.forInputString(Unknown Source)
    2. java.lang.Integer.parseInt(Unknown Source)
    3. java.lang.Integer.valueOf(Unknown Source)
    3 frames
  3. Spring Web Flow
    AbstractFlowExecutionRepository.parseSnapshotId
    1. org.springframework.webflow.execution.repository.support.AbstractFlowExecutionRepository.parseSnapshotId(AbstractFlowExecutionRepository.java:219)
    1 frame