File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Security Remediation in My current application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Security Remediation in My current application" Watch "Security Remediation in My current application" New topic
Author

Security Remediation in My current application

vasu Sanaboina
Greenhorn

Joined: Sep 11, 2007
Posts: 16
Hi All,
In my current project we are using Servlets & JSP's. We are facing below listed Security problems
1. Cross-Site Scripting
2. Stored Cross-Site Scripting
3. Phishing Through Frames
4. Link Injection
Could you please kindly provide your valuable suggestions/solution to overcome these issues.
Thanking you in advance for your generous support.
Regards,
Vasu
Hebert Coelho
Ranch Hand

Joined: Jul 14, 2010
Posts: 754

Did you googled this?

O.o


[uaiHebert.com] [Full WebApplication JSF EJB JPA JAAS with source code to download] One Table Per SubClass [Web/JSF]
vasu Sanaboina
Greenhorn

Joined: Sep 11, 2007
Posts: 16
I goggled, but they suggesting like "verify the data in input fields for special characters". But its very difficult to scan all the fields and URLs. Each screen has 100 of fields. it obviously decrease the performance.
Louis Bros
Ranch Hand

Joined: Jun 03, 2011
Posts: 54

Hi,

One thing that can help to prevent XSS is to use either JSTL or JSF



Both of those will escape the html.


OCA7
vasu Sanaboina
Greenhorn

Joined: Sep 11, 2007
Posts: 16
But its very difficult to change all the fields to that script. that to some fields are generating in java side i.e. dynamically forming in java and populating in jsp. mine is big project.
Louis Bros
Ranch Hand

Joined: Jun 03, 2011
Posts: 54

How are you displaying your values in the JSP?
vasu Sanaboina
Greenhorn

Joined: Sep 11, 2007
Posts: 16
we have separate utility class like FormWriter and FieldWriter utility classes. But mainly the problem is when run the IBM APPS SCAN we found these issues
Louis Bros
Ranch Hand

Joined: Jun 03, 2011
Posts: 54

I think if you posted some of your code you might get more help.
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
vasu Sanaboina wrote:But its very difficult to scan all the fields and URLs. Each screen has 100 of fields. it obviously decrease the performance.


vasu Sanaboina wrote:But its very difficult to change all the fields to that script. that to some fields are generating in java side i.e. dynamically forming in java and populating in jsp. mine is big project.


Neither task is difficult, just time-consuming to implement. But there is no substitute for application security, so it's not like you have a choice. Plus, performance is almost always subservient to security, so again, you have it backwards. I found some useful starting points in the FAQ right here: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps
Pete Nelson
Ranch Hand

Joined: Aug 30, 2010
Posts: 147

Can you get any help from IBM with this? I know some security scanners will find things that MIGHT look like a risk, but depending on your design, may actually pose no threat. In general, it's a good idea to work with the scan vendor (or user forums) to understand what the results are telling you, and if you need to be concerned.

Since the majority of your issues seem to be related to XSS, you may want to take a good look at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet . Especially rules #1 and #2.

As far as having hundreds of fields to scan, is there a way using OOP can help overcome this? What does your "FieldWriter" object do?


OCPJP
In preparing for battle I have always found that plans are useless, but planning is indispensable. -- Dwight D. Eisenhower
vasu Sanaboina
Greenhorn

Joined: Sep 11, 2007
Posts: 16
How these validations perfomring in the Spring, Struts frameworks used projects. Currently I am going to implement the solutions like validating some special characters in the input text fields and URLs.
Please if any one has proper solution. kindly let me know.
Thanking in advance for your valid response.
Regards,
Vasu
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security Remediation in My current application