0

I am working on a website that currently is vulnerable to XSS attacks. As I read about it, the best way to prevent it is to:

  1. Validate any user inputs.
  2. Sanitize and escape any strings that are to be displayed on web pages.

For point no: 1, I am validating user inputs both at client side (JS) and just before data persists into the database.

For point no: 2, I am not so sure. Should I sanitize and escape strings as I add them to MVC objects before sending them to the JSP? The problem I see with this approach is that there are simply too many objects with string parameters, and sanitizing each of them would be a pain.

What's the best approach SO suggests?

Thanks!

prashant pandey
  • 37
  • 1
  • 7

1 Answers1

0

For point 1:

  • client side validation doesn't ensure protection from XSS as it can be skipped by the attacker. The purpose of client side validation is to guide a legitimate user in providing the required input and not for preventing an attacker from attacking.
  • validating only when saving to database is not sufficient. User input has to be validated at the server side as soon as it is received. Based on the application, user input might be flowing back to the user in the response or it might also be flowing to other users via application scoped variables, without being read from database(your validated value).

For point 2:

  • Sanitize and encode only those output strings which were user inputs(in any form: request parameter, request header, request body, user input saved in database).
  • Output fields can be encoded in jsp page using available encoding libraries like OWASP Java Encoder
  • If you can switch to JSF, it has built in XSS protection. Refer for details.

Do refer OWASP XSS prevention cheat sheet

mittal
  • 327
  • 3
  • 15