jaxley · January 27, 2017 22:49
diff --git a/HelloRequestData.java b/HelloRequestData.java
 import org.apache.http.client.utils.URIBuilder;

 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.PrintWriter;
 import java.io.UnsupportedEncodingException;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;

 /**
 * Created by jaxley on 2/3/16.
 */
 @WebServlet(name = "HelloRequestData", urlPatterns = {"/HelloRequestData"})
 public class HelloRequestData extends HttpServlet {
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {

    }

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {

        response.setContentType("text/html");
        response.setBufferSize(8192);
        PrintWriter out = response.getWriter();

        out.println("<html><head><title>RequestData</title></head>");

        String body = "<body>" +
                "<ul>" +
                "<li>Raw request URI:  " + request.getRequestURI() + " (<a href=\"" + request.getRequestURI() + "\">clickable</a>)</li>" +
                "<li>Raw request URL:  " + request.getRequestURL() + "</li>" +
                "</ul>" +
                "<h2>DECODED:  DANGER LIES AHEAD!</h2>" +
                "<ul>" +
                "<li>Decoded request URI:  " + decodeUri(request.getRequestURI()) + " (<a href=\"" + decodeUri(request.getRequestURI()) + "\">clickable</a>)</li>" +
                "<li>Decoded request URL:  " + decodeUri(request.getRequestURL().toString()) + "</li>" +
                "</ul>" +
                "<p>Request.getParameter(poll): " + request.getParameter("poll") +
                "<br/>Request.getParameter(candidate): " + request.getParameter("candidate") + "</p>" +
                "HTTP Parameter Pollution Vulnerability via 'poll' parameter (force an encoded query string value into a URL): " +
                "<br/><a href=\"" + request.getRequestURI() + "?poll=president%26candidate%3DJeff\">Click to Demonstrate Pollution</a> - via encoded candidate=Jeff smuggled into the 'Polluted URL' below";

                if (request.getParameter("poll") != null) {
                    try {
                        URIBuilder builder = new URIBuilder(request.getRequestURI());
                        String pollParameter = request.getParameter("poll");

                        // demonstrating that pollParameter is now automatically decoded, so if it was previously encoded, it now may contain query string metacharacters
                        // allows someone to smuggle http parameters in and change control flow of the application
                        // Imagine someone emailing a link to a poll but when the user clicks

                        String candidate = request.getParameter("candidate");
                        if (candidate != null) {
                            body += "<p><h2>Thank you for voting for " + candidate + "</h2></p>";
                        }

                        builder.setParameter("poll", pollParameter);

                            body += "<p><br/><a href=\"" + request.getRequestURI() + "?poll=" + request.getParameter("poll") + "\">Click Here to Vote:  Polluted URL</a> - URL built using query parameters that smuggle values in so is polluted. Will smuggle candidate=Jeff when clicked." +
                                    "<br/><a href=\"" + request.getRequestURI() + "?poll=" + URLEncoder.encode(request.getParameter("poll"), "UTF-8") + "\" >Click Here to Vote:  Not Polluted (safe - URLEncoder)</a> - build using encoded query parameters."+
                                    "<br/><a href=\"" + builder.toString() + "\" >Click Here to Vote:  Not Polluted (safe - URIBuilder)</a> - build using encoded query parameters.</p>";
                    } catch (URISyntaxException e) {
                     e.printStackTrace();
                    }
                }
        body += "</body>";

        out.println(body);

        out.println("</html>");

        out.close();

    }

    private String decodeUri(String uri) throws UnsupportedEncodingException {
        return URLDecoder.decode(uri, "UTF-8");
    }
 }
	import org.apache.http.client.utils.URIBuilder;

	import javax.servlet.ServletException;
	import javax.servlet.annotation.WebServlet;
	import javax.servlet.http.HttpServlet;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;
	import java.io.PrintWriter;
	import java.io.UnsupportedEncodingException;
	import java.net.URISyntaxException;
	import java.net.URLDecoder;
	import java.net.URLEncoder;

	/**
	* Created by jaxley on 2/3/16.
	*/
	@WebServlet(name = "HelloRequestData", urlPatterns = {"/HelloRequestData"})
	public class HelloRequestData extends HttpServlet {
	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {

	}

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {

	response.setContentType("text/html");
	response.setBufferSize(8192);
	PrintWriter out = response.getWriter();

	out.println("<html><head><title>RequestData</title></head>");

	String body = "<body>" +
	"<ul>" +
	"<li>Raw request URI: " + request.getRequestURI() + " (<a href=\"" + request.getRequestURI() + "\">clickable</a>)</li>" +
	"<li>Raw request URL: " + request.getRequestURL() + "</li>" +
	"</ul>" +
	"<h2>DECODED: DANGER LIES AHEAD!</h2>" +
	"<ul>" +
	"<li>Decoded request URI: " + decodeUri(request.getRequestURI()) + " (<a href=\"" + decodeUri(request.getRequestURI()) + "\">clickable</a>)</li>" +
	"<li>Decoded request URL: " + decodeUri(request.getRequestURL().toString()) + "</li>" +
	"</ul>" +
	"<p>Request.getParameter(poll): " + request.getParameter("poll") +
	"<br/>Request.getParameter(candidate): " + request.getParameter("candidate") + "</p>" +
	"HTTP Parameter Pollution Vulnerability via 'poll' parameter (force an encoded query string value into a URL): " +
	"<br/><a href=\"" + request.getRequestURI() + "?poll=president%26candidate%3DJeff\">Click to Demonstrate Pollution</a> - via encoded candidate=Jeff smuggled into the 'Polluted URL' below";

	if (request.getParameter("poll") != null) {
	try {
	URIBuilder builder = new URIBuilder(request.getRequestURI());
	String pollParameter = request.getParameter("poll");

	// demonstrating that pollParameter is now automatically decoded, so if it was previously encoded, it now may contain query string metacharacters
	// allows someone to smuggle http parameters in and change control flow of the application
	// Imagine someone emailing a link to a poll but when the user clicks

	String candidate = request.getParameter("candidate");
	if (candidate != null) {
	body += "<p><h2>Thank you for voting for " + candidate + "</h2></p>";
	}

	builder.setParameter("poll", pollParameter);

	body += "<p><br/><a href=\"" + request.getRequestURI() + "?poll=" + request.getParameter("poll") + "\">Click Here to Vote: Polluted URL</a> - URL built using query parameters that smuggle values in so is polluted. Will smuggle candidate=Jeff when clicked." +
	"<br/><a href=\"" + request.getRequestURI() + "?poll=" + URLEncoder.encode(request.getParameter("poll"), "UTF-8") + "\" >Click Here to Vote: Not Polluted (safe - URLEncoder)</a> - build using encoded query parameters."+
	"<br/><a href=\"" + builder.toString() + "\" >Click Here to Vote: Not Polluted (safe - URIBuilder)</a> - build using encoded query parameters.</p>";
	} catch (URISyntaxException e) {
	e.printStackTrace();
	}
	}
	body += "</body>";

	out.println(body);

	out.println("</html>");

	out.close();

	}

	private String decodeUri(String uri) throws UnsupportedEncodingException {
	return URLDecoder.decode(uri, "UTF-8");
	}
	}