Cross Site Scripting (XSS) and prevention

Variants of Cross site scripting (XSS) attacks are almost limitless as mentioned on the OWASP site (https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). Here I propose to use a Servlet Filter based solution for sanitization of HTTP Request.
The attack
Lets see how an XSS attack manifests itself. Attached is an over simplified portlet which shows a scenario which is very common in social and collaboration based systems like forums. See below psuedo-sequence diagram.
Here, 1. There is a form available where user can enter his comments with a submit button and textbox named “mytext”. User A renders this form. 2. User A enters a java script into input text box and submits the form (this is the step where evil enters your app). Just to make you see the problem; imagine that the script entered by user sends cookies stored by the app to an attacker’s site. 3. User B logs into the system and he wants to see the comments provided by User A. So he goes to respective page where system renders value of “mytext” provided by A. 4. Browser renders value of “mytext”, which is a java script that fetches all the cookies of current site stored for User B and sends it to the Attackers system.
The prevention (better than cure, always) We will see how cleansing of HTTP parameters help in thwarting off this kind of attack. For this attack to be successful what kind of response was sent to browser when B rendered A’s comments? Something like –
<div>A's Comments</div>
<div>
<script>
<!--
This script will get all cookies and will send them to attacker's site.
-->
</script>
</div>
As you can see, the attack was possible due to the fact that, for a browser, an HTML document is mix of markup & executable code. The ability to mix executable code with markup is deadly combination which attackers can exploit. Using a Servlet Filter we can cleans all the input parameters and remove all special characters that can denote executable instructions for browser. This way no evil enters the system. Here is a very simple Servlet Filter that does this. A wrapper over HttpServletRequest is used and methods are override to return request parameter values after escaping. For escaping I suggest using StringEscapeUtils of Apache Commons project instead of doing some custom coding.
Another way is to let the users enter whatever they want but while rendering convert <,>,&,’,” to their corresponding character entity codes. Typically this can be done as using JSTL –
<div>A's comments</div>
<div>
<c:out value="${comments}" escapeXml="true" />
</div>
This approach is especially useful where users can share code snippets with each other.
Based on interaction between user and the system many other clever ways of launching an XSS attacks can be devised. But having absolute control over system input will can surely guard agains such attacks.
Reference: XSS and prevention from our JCG partner Advait Trivedi at the CoolCode blog.
Related Whitepaper:

Web Application Security; How to Minimize Prevalent Risk of Attacks

Vulnerabilities in web applications are now the largest vector of enterprise security attacks.

Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers.

Get it Now!  

Leave a Reply


nine + = 13



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

20,709 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books