• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Servlet Filter for XSS prevention

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My application has been through security audit and I was told that there are XSS issues (parameters passed through URL are stored without filtering and that ouput is not entity encoded to take care of html metacharacters).

I have 2 questions:

1. I am planning to use servlet filter with antisamy to filter user input to script tag presence (http://bazageous.wordpress.com/). Does it takes care of all html metacharaters? Which policy file i should use, there is no requirement to enter html input.
2. How can i replicate this issue? I have tried injecting a. <BR SIZE="&{alert('XSS')}">
b. <script>alert(123)</script> with other user inputs through text fields but NO success in creating a alert while rendering jsp (through JSON and extJS). please suggest how can i reproduce this issue? the application does not take care of xss as of today
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. That's a question best answered by the author or by inspecting the code.
2. The problem is unlikely to manifest when simply returning info as JSON, as that's just data. It depends what you do with that data.

The easiest way to replicate the problem is to enter a script tag as a value that gets displayed in a JSP. Using <c:out> when displaying unsafe data solves 99% of the problem.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic