File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

DOM Based XSS and check

 
Sandy Saahil
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Techies,

I am trying to block DOM Based XSS attacks. I want to redirect user to error page if he enters any javascript functions like onMouseHover or window.location etc.

e.g.
[url=http://domainname/context/somepath/somepage.htm?printable=true"+onmouseover="window.location=%27//www.netspi.com/';"+" ]Xss inserted URL[/url]

Encoding is an option but I dont even want to handle such requests. Is there any way of doing that? I browsed OWASP and other security sites but everybody is explaining encoding user input. I want to throw such requests to error page and log them in server logs.

regards,
Saahil
 
manjesh ipp
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you should validate the inputs and process only trusted data. In this case you know "printable" query parameter should take only "true" or "false" .If you find anything other than these possible values just return some default value or generate a user defined DataValidationException to you can map a global error page.

 
Sandy Saahil
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Manjesh for your reply.

I have used ESAPI decode to decode the URL. In my case it would be unable to decode it properly and give error which is what I wanted.

regards,
Sandeep
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic