3

I have an issue with a Cross-Site Scripting (XSS) vulnerability with my application. I have mutiple forms where the user can submit data which will be stored in database and displayed later in a jsp page. I discovered that this application isn't sufficiently protected and a user can submit malicious code which will fire an XSS attack.

I need to validate the user input from the server side after the submission of the form. Because in client side the data is displayed using a table library which will render an html content (I have no control over this library). I found a nice library in this link (https://appsec-labs.com/portal/xss-java-secure-coding/) but it concerns only the client side.

How can I do to validate these input data ? whether it is an html or a javscript code or what else.

Thanks

kkung
  • 715
  • 4
  • 10
  • 18

3 Answers3

1

Essentially you need to substitute HTML special characters like < with their HTML entities like &lt;.

In JSP you can protect against this using JSTL tag or fn:escapeXml(). There is another answer that covers that here. In PHP you can try using the htmlspecialchars function.

Also be careful of SQL injection and CSRF attacks. The OWASP Top Ten outlines some common vulnerabilities.

Community
  • 1
  • 1
mjsa
  • 4,221
  • 1
  • 25
  • 35
  • So is there a sort of library to escape and validate the user input regarding if it's an html code, javascript.. (server side) ? In the jsp, I can't use the JSTL tag or fn:escapeXml() because I a have a list of objects that may contain a malicious code which I give to a table library to display the content of this list. – kkung Oct 14 '15 at 12:03
  • You just need to filter HTML tags, Javascript can't run unless you wrap it in ` – mjsa Oct 14 '15 at 14:54
  • 1
    @mjsa `` Just didn't want anyone to take your message literally. XSS doesn't always require script tags. I know you are saying that `<,>`,etc would get escaped here, but the comment itself could be misleading. – Gray Oct 14 '15 at 18:54
  • 1
    @Gray Yes, I agree; was just trying to simplify (in this case leading to an over-simplification). :p – mjsa Oct 15 '15 at 07:26
1

The right way to address this would be to fix this library (which you have no control over) or to replace it with something better. The flaw is in the library, not in your code. XSS vulnerabilities exist because of rendering code which inserts data in unsafe locations and/or does not properly escape its output.

This being said, it might be possible to to secure your application without fixing/replacing the library. Or it might not. It largely depends on where the library inserts the user-supplied data.

If you can restrict the input to a string of alphanumeric characters or better yet a white list of authorized values, you are most likely safe. This means no spaces, no simple quotes or double quotes, no lower-than or greater than signs, no commas, no colons, no semi-colons... If you can't and you have no control over the rendering code as seems to be the case, then all bets are off.

Probably, you'll get a better understanding of the issue by reading this: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Erwan Legrand
  • 4,148
  • 26
  • 26
0

I would recommend the OWASP java encoder (or ESAPI) project. https://www.owasp.org/index.php/OWASP_Java_Encoder_Project (and on GitHub: https://github.com/OWASP/owasp-java-encoder/). Doco sadly is a bit sparse.

The problem with XSS is that it's context dependent. You need to encode differently depending on where you're displaying the user output (e.g., different encoding for data you're placing between javascript tags, or in the uri, or between html tags). OWASP Java Encoder sets up different contexts you can encode/decode for. If the data is just output through a jsp tag, then I would use

Encode.forHtml("input here");

You can also encode for javascript:

Encode.forJavaScript("input here");

You can download it on the owasp site, or through maven (look on the github link).

This library also allows you to do the encoding through JSP tags in your JSP pages, but you'll have to dig around a bit to find the doco for that. I've always done it in Java.

This stackoverflow question covers links on how to configure the library properly: Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue

Community
  • 1
  • 1
AndyN
  • 2,075
  • 16
  • 25