[XSS] Content-Disposition: attachment

Content-Disposition: attachment 로 설정되어 있으면

응답값이 파일로 떨어진다

 

@WebServlet("/DownloadHandler") public class DownloadHandler extends HttpServlet {  private static final long serialVersionUID = 1L;  protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { \    String sHTML = request.getParameter("save_string");    String decodeSHTML = URLDecoder.decode(sHTML, "utf-8");     String fileName = "download.html";     response.setContentType("text/html; charset=UTF-8");    response.setHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\"");     try (PrintWriter out = response.getWriter()){        out.println(decodeSHTML);    }

 

www.test.com/DownloadHandler?save_string=aaa 하면

download.html 이 다운로드 되고 열어보면 aaa 써 있을거다 (out.println 이니까)

 

www.test.com/DownloadHandler?&save_string=<html><script>alert(1)</script></html> 하면

download.html 열었을 때 스크립트 실행된다