1

We have got issues in our AEM application for cross site scripting. We decided to check for any scripts before submitting a request. How do we check if there is any script available in the SOAP request at the server side(Java). Is this the correct solution for avoiding cross site scripting issue?

Jordan Shurmer
  • 946
  • 7
  • 21
CQ5 nEW
  • 43
  • 7
  • your question is not clear. what do you mean by "We decided to check for any scripts before submitting a request"? maybe you can give an example to help understand better. – awd Apr 05 '16 at 13:53
  • Hi, We have many forms in the AEM application, and we send the data to database. Before sending a request to update in DB , checking for any scripts in the request.( Here we use SOAP to hit the database via webservices and form a json request from AEM end) – CQ5 nEW Apr 05 '16 at 17:03
  • Refer http://stackoverflow.com/questions/24800295/how-to-configure-antisamy-in-cq-5-5 – Sandeep Kumar Apr 05 '16 at 17:38

2 Answers2

2

This is a pretty broad question, and we can't provide any implementation details since we don't know any of your architecture or implementation details. However, there are some general XSS things to keep in mind:

  • If you are "checking for scripts" only in the browser, using JS, before submitting a form that will not solve anything. People can easily bypass this by simply issuing the HTTP request that the form would have made from any other tool (e.g. curl, PostMan, etc.). You need to check for bad data on the server side while processing the request that the Form is submitting.

As far as how to do this sort of thing on the CQ server side: Adobe has some recommendation that you should read through:

The PDF "cheat sheet" link on those pages will probably be most helpful.

There are different ways to mitigate the XSS risk. White-listing the data to let only known good data through, black-listing the data to block out any known bad data, encoding the data to prevent scripts from being treated as HTML. For an excellent read on what to do pay attention to the OWASP recommendations

Jordan Shurmer
  • 946
  • 7
  • 21
-1

Check out XSSAPI , you can use methods in this api to prevent XSS security risks.
On the other hand, you could probably start using sightly which provides automatic contextual XSS protection.

SubSul
  • 2,523
  • 1
  • 17
  • 27