0

The below are the rest response received on vulnerability test

Response

HTTP/1.1 400 Bad Request

The HTTP header field "Accept" with value "/'"!@$^*/:;.,?{}[]`~-_

Can I do something like adding a header param to avoid XSS attack?

@Path("/WSPointBalance")
public class BalanceService {
private static final Logger log = Logger.getLogger(balanceManager.class);
@POST
@Path("/getPointBalance")
@Produces("application/json; charset=utf-8")
@HeaderParam("X-XSS-Protection: 1; mode=block")
public String getPointBalance(@QueryParam("P_ID")String P_ID) {

    if (log.isDebugEnabled())
        log.debug("In balanceManager ");
    log.info("Looging inside BalanceService class ");
.....
}
Ɖiamond ǤeezeƦ
  • 3,223
  • 3
  • 28
  • 40
sritharan
  • 41
  • 1
  • 10

1 Answers1

0

Response filter

If I understand what you need, it could be achieved with a filter.

Filters can be used to modify any request or response parameters like headers.

The following filter, which implements the ContainerResponseFilter interface, will add the X-XSS-Protection header to the HTTP response:

@Provider
public class XssResponseFilter implements ContainerResponseFilter {

    @Override
    public void filter(ContainerRequestContext requestContext, 
                      ContainerResponseContext responseContext) throws IOException {

        responseContext.getHeaders().add("X-XSS-Protection", "1; mode=block");
    }
}

Please note the above filter is global, that is, it will be executed for all resource methods.

Name binding

To execute the filter for only some hand-picked resources methods, you can used name binding.

Name binding is a concept that allows to say to a JAX-RS runtime that a specific filter will be executed only for a specific resource method. When a filter or an interceptor is limited only to a specific resource method we say that it is name-bound.

Filters can be assigned to a resource method using the @NameBinding annotation. The annotation is used as meta annotation for other user implemented annotations that are applied to a providers and resource methods.

A name binding annotation can be defined as following (the name of the annotation is up to you):

@NameBinding
@Retention(RUNTIME)
@Target({TYPE, METHOD})
public @interface XssProtection { }

Place the above defined annotation on your filter class:

@Provider
@XssProtection
public class XssResponseFilter implements ContainerResponseFilter {
    ...
}

To assign the filter to a resource method, place the above defined annotation on the resource method:

@GET
@XssProtection
@Produces(MediaType.APPLICATION_JSON)
public Response myMethod() {
    ...
}

Name binding can be applied on resource classes as well. It means the filter will be executed for all resource methods of that resource class:

@Path("/foo")
@XssProtection
public class MyResource() {
    ...
}

Note that global filters are always executed, so even for resource methods which have any name binding annotations.

Additional resources

For more details on filters, have a look at Jersey documentation.

cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • Thanks a lot Cássio Mazzochi Molin. – sritharan Apr 18 '16 at 07:32
  • Thanks a lot @Cássio Mazzochi Molin. i want to understand one thing regarding Cross site scripting under the context of REST Services, any XSS attack to the rest service would be coming through the URI right?? Is my understanding is correct ? – sritharan Apr 18 '16 at 09:18
  • @sritharan Are you using Jersey? Why don't you try the [`CsrfProtectionFilter`](https://jersey.java.net/apidocs/2.7/jersey/org/glassfish/jersey/server/filter/CsrfProtectionFilter.html)? The source is available [here](https://github.com/jersey/jersey/blob/master/core-server/src/main/java/org/glassfish/jersey/server/filter/CsrfProtectionFilter.java), just in case you need to check or implement yours. – cassiomolin Apr 18 '16 at 10:46
  • @sritharan Also consider supporting CORS. There's a great example [here](http://stackoverflow.com/a/28067653/1426227). – cassiomolin Apr 18 '16 at 10:49