1

I am using tomcat 5.5.36. I built an application with JSP. I used a "toolOwasp Zap security tool" to scan my application. In the report I found a issue related to XSS. I am using a form to login user and sending it with post.

In the report its saying Cross Site Scripting(Reflected)

parameter - username Attack - </span><script>alert(1);</script><span> Evidence - </span><script>alert(1);</script><span>

I am using sesson id to authenticate a user. I have read few documents about XSS attack but could not found a proper solution, which can work with the given tomcat version. (Note: Is there any solution using CSRF token.)

ZINDA ROBOT
  • 280
  • 2
  • 15
  • 1
    In most cases XSS has nothing to do with the version of Tomcat you're using; it's caused by an incorrect implementation of your application (it looks like you're outputting the username entered by the user directly into your HTML page without escaping any special characters). This needs to be fixed in your code. The CSRF token has nothing to do with the problem. – yole Apr 04 '16 at 10:29
  • Its a bit vague, but the tool might be referring to the technique to have a different sessionId before and after login to prevent session hijacking. – Gimby Apr 04 '16 at 10:32
  • @yole No I am not outputting the username directly. I am just having a form with the action url and method as post and in the form I just have two input fields. username and password. The code in the question is generated by the tool showing the possibility of having CSRF. – ZINDA ROBOT Apr 04 '16 at 10:41

1 Answers1

5

Firstly praise is in order!

You have taken the biggest step to securing your applications and becoming a great developer - you actually considered security. Seriously, that makes me feel better about the future of developers because so few in industry even make it that far. Well done :-)

Now for the fun part: Protecting your application against cross site scripting, or indeed any other kinds of vulnerabilities, is not something that can be achieved simply by installing something or enabling something in Tomcat in fact, the fact that you are using Tomcat should not really be relevant to any application level vulnerabilities. Additionally, Cross Site Request Forgery is a separate, unrelated vulnerability. Sorry :-(

Looking at your specific example for a moment - basically the issue you have is that your application is taking any input a user puts into the login form and is printing it out in the page without sanitising it. In the report it is telling you that it tried to log in with username </span><script>alert(1);</script><span> and found that the script and alert were printed out in the response.

You can try this yourself and you will see the problem - you will get an alert popup.

Unfortunately, there is no simple switch to flip to protect your application. You have to learn about and understand your all of the common vulnerability types and then learn the standard approaches and tools to combat each.

A great starting point is the OWASP Top 10 wiki, where you can find oodles of information about various vulnerabilities, what they are, how they work and what you should be doing to protect against them.

https://www.owasp.org/index.php/Top_10_2013-Top_10

You can even find code samples and worked examples to help.

I feel a bit like leading a lamb to slaughter here - I know that reading through all of that will be quite daunting, but take your time and don't panic. Once you understand each of the vulnerability types, you will find that most are pretty easy to prevent.

Hope this helps, Charlie

kabadisha
  • 670
  • 4
  • 15
  • Thanks for the great suggestion. Actually I am using the same tool to analysis my application and the report is having few more issue like this. I asked about the CSRF token because I found this in the cheat sheet I was reading through [https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/CSRF_Prevention_Cheat_Sheet) Synchronizer Token Pattern. – ZINDA ROBOT Apr 04 '16 at 10:56
  • No problemo - sorry I can't just give you a simple answer :-) I'm just glad to see someone take an active interest in how to secure their applications. If you can get a firm understanding of these issues then you will be a great developer - in fact, questions about these types of vulnerabilities are often used in interviews to judge the caliber of potential developers. – kabadisha Apr 04 '16 at 11:08