This week's book giveaway is in the Design forum.
We're giving away four copies of Building Microservices and have Sam Newman on-line!
See this thread for details.
The moose likes Security and the fly likes DOM Based XSS and check Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "DOM Based XSS and check" Watch "DOM Based XSS and check" New topic
Author

DOM Based XSS and check

Sandy Saahil
Greenhorn

Joined: Apr 06, 2006
Posts: 9
Hi Techies,

I am trying to block DOM Based XSS attacks. I want to redirect user to error page if he enters any javascript functions like onMouseHover or window.location etc.

e.g.
[url=http://domainname/context/somepath/somepage.htm?printable=true"+onmouseover="window.location=%27//www.netspi.com/';"+" ]Xss inserted URL[/url]

Encoding is an option but I dont even want to handle such requests. Is there any way of doing that? I browsed OWASP and other security sites but everybody is explaining encoding user input. I want to throw such requests to error page and log them in server logs.

regards,
Saahil


Keep Faith
manjesh ipp
Greenhorn

Joined: Jan 01, 2011
Posts: 9
I think you should validate the inputs and process only trusted data. In this case you know "printable" query parameter should take only "true" or "false" .If you find anything other than these possible values just return some default value or generate a user defined DataValidationException to you can map a global error page.

Sandy Saahil
Greenhorn

Joined: Apr 06, 2006
Posts: 9
Thanks Manjesh for your reply.

I have used ESAPI decode to decode the URL. In my case it would be unable to decode it properly and give error which is what I wanted.

regards,
Sandeep
 
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com
 
subject: DOM Based XSS and check
 
It's not a secret anymore!