Enterprise Java

Cross Site Scripting (XSS) and prevention

Variants of Cross site scripting (XSS) attacks are almost limitless as mentioned on the OWASP site (https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). Here I propose to use a Servlet Filter based solution for sanitization of HTTP Request.
The attack
Lets see how an XSS attack manifests itself. Attached is an over simplified portlet which shows a scenario which is very common in social and collaboration based systems like forums. See below psuedo-sequence diagram.

 
 
 

test
Here, 1. There is a form available where user can enter his comments with a submit button and textbox named “mytext”. User A renders this form. 2. User A enters a java script into input text box and submits the form (this is the step where evil enters your app). Just to make you see the problem; imagine that the script entered by user sends cookies stored by the app to an attacker’s site. 3. User B logs into the system and he wants to see the comments provided by User A. So he goes to respective page where system renders value of “mytext” provided by A. 4. Browser renders value of “mytext”, which is a java script that fetches all the cookies of current site stored for User B and sends it to the Attackers system.
The prevention (better than cure, always) We will see how cleansing of HTTP parameters help in thwarting off this kind of attack. For this attack to be successful what kind of response was sent to browser when B rendered A’s comments? Something like –
<div>A's Comments</div>
<div>
<script>
<!--
This script will get all cookies and will send them to attacker's site.
-->
</script>
</div>
As you can see, the attack was possible due to the fact that, for a browser, an HTML document is mix of markup & executable code. The ability to mix executable code with markup is deadly combination which attackers can exploit. Using a Servlet Filter we can cleans all the input parameters and remove all special characters that can denote executable instructions for browser. This way no evil enters the system. Here is a very simple Servlet Filter that does this. A wrapper over HttpServletRequest is used and methods are override to return request parameter values after escaping. For escaping I suggest using StringEscapeUtils of Apache Commons project instead of doing some custom coding.
Another way is to let the users enter whatever they want but while rendering convert <,>,&,’,” to their corresponding character entity codes. Typically this can be done as using JSTL –
<div>A's comments</div>
<div>
<c:out value="${comments}" escapeXml="true" />
</div>
This approach is especially useful where users can share code snippets with each other.
Based on interaction between user and the system many other clever ways of launching an XSS attacks can be devised. But having absolute control over system input will can surely guard agains such attacks.

 

Reference: XSS and prevention from our JCG partner Advait Trivedi at the CoolCode blog.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Manuel Sellers Rico (@manusellers2)

XSS attacks are frequent in dynamic websites that builds its contents within user’s interaction, for example a blog or a forum. It might happen that when you ask for user input you don’t sanitize the input properly before adding it to database (that can derive in a SQL injection) or when printing it to the website (that can derive in a XSS injection). A common thing that I do is to use a function exclusive to parse chars (, &…) to the HTML equivalent (<, >, &…) everytime I ask for user’s input. If you are working with PHP you… Read more »

Back to top button