XSS attack in URL

Question

I have spring application. I have read about XSS attach And I globally disabled by the answer here How do I prevent people from doing XSS in Spring MVC?

(I put the context-param in web.xml)

But still I do able to do xss attack in URL by giving the script in URL

https://localhost/sam/pop/viewProfile?id=/%3E%3Cscript%3Ealert%28123%29%3C/script%3E

How to solve this?

score 1 · Accepted Answer · answered Sep 25 '15 at 13:12

I think you need just use pattern for clearing your post or get parameters. It's most popular hacker's trick, cuz you should keep in mind about what you do on the server side. Look at this simple HTML pattern(http://ideone.com/zJ8BGT):

import java.util.*;
import java.lang.*;
import java.io.*;

class Ideone
{
    public static void main (String[] args) throws java.lang.Exception
    {
        String pattern = "</{0,1}\\s*(((\\w+\\s*)={0,1}(\"|'){0,1}((\\w+\\s*-*_*)*(:|;|\\)|\\()*/{0,2}(\\w*\\s*/{0,1}\\.{0,1}&*;*\\?*=*-*\\+*%*)(\"|'){0,1}))\\s*)*/{0,1}>";
        String str = "<script>alert(123)</script>";
        System.out.println(str.replaceAll(pattern, ""));
    }
}

So on the request URL I should do this pattern cleaning right? — Pasupathi Rajamanickam, Sep 25 '15 at 13:18

XSS attack in URL

1 Answers1