0

Created a XSS Filter using ESAPI Refer (https://dzone.com/articles/stronger-anti-cross-site) and defined it in web.xml.Scanned the ear file using Veracode. Veracode is still flagging the same issues as XSS issues. Does Veracode do not take using Servlet filter as a resolution for resolving XSS issues in code.

Viv
  • 63
  • 4
  • Can we not use Servlet level filter to take care of Cross Site Scripting ,XSS ,attacks in a website. – Viv Feb 03 '18 at 10:39

1 Answers1

0

Don't use that filter. The author is way too optimistic about what it can do. There are many ways to exploit XSS. Look at XSS Filter Evasion Cheat Sheet for some examples. Take one at random for example: <IMG SRC=# onmouseover="alert('xxs')"> and run it through the filter. It's passed straight through.

The way they've done the replacements can leave the inputs in a worse state that it started. By removing script tags from <<script>script>alert('xss')</<script>script>, you're left with <script>alert('xss')</script>

Even with adding more patterns, the blacklist approach is wrong because it can't cover all the possibilities and can corrupt valid data. To prevent the XSS issues, you should make sure any data added to the page is HTML encoded. See: XSS prevention is JSP/Servlet.

fgb
  • 18,439
  • 2
  • 38
  • 52
  • I am using JSF 1.2 (jsp files).But I have some custom Tags and <%=%> in my jsps . Veracode has flagged over 100 places scattered all over the jsps. .Does that mean I need to encode each and every place where the issue is flagged. Cant we not use a filter to take care of XSS issues at one place. – Viv Feb 03 '18 at 14:53
  • If you see the dzone filter , this line is commented out. If we uncomment this line, will that not make it a good filter to counter XSS attacks.// value = ESAPI.encoder().canonicalize(value); – Viv Feb 06 '18 at 05:25
  • It would still allow the same script tags as before. For that filter to work, then it would need to reject invalid requests instead of modifying them, and not search for specific patterns, but reject data containing any of: `<` `>` `&` `'`. `"`. You'd also need to check data coming from other sources like files or a database. – fgb Feb 06 '18 at 17:45
  • http://bazageous.com/2011/04/14/preventing-xss-attacks-with-antisamy/ . I dont want to encode every jsp code where XSS is an issue.So I am trying to fix this at a top level, that is using a filter. Do you think the antisamy filter approach is good enough. – Viv Feb 09 '18 at 05:47
  • It's better than the first filter, and stops some attacks where data goes from the parameters, then unmodified to an html context. Antisamy is mostly when you want to input html though. If you don't want html at all, you can do html encoding in the filter instead. – fgb Feb 09 '18 at 17:31
  • I am now using https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project to fix the flaws – Viv Feb 13 '18 at 07:55