0

I am working on a jsp/servlet application, now the requirement is to apply cross-site scripting , as it is a huge application that contains around 200 jsp pages,and it is time taken to encode each jsp page so I am looking for a efficient way to do this so that it reduces the efforts, like can we do this in a Servlet filter, or an good framework to achieve this.

Any help would be appreciated.

Prashant Bhagwani
  • 25
  • 1
  • 3
  • 10
  • Does this answer your question? [XSS prevention in JSP/Servlet web application](https://stackoverflow.com/questions/2658922/xss-prevention-in-jsp-servlet-web-application) – Jonathan Laliberte Nov 13 '19 at 11:03
  • Hi Jonathan, this link is actually explaining how to implement xss but I am looking for a solution which is kind of a generic I dont want to implement it in each jsp. – Prashant Bhagwani Nov 13 '19 at 13:46

1 Answers1

0

I had the same problem. we had lots of page of jsp ( more than 10000 pages, very huge project) so as you know XSS attack vulnerability would potentially occurred when you do something like this:

<div><%=someValue%></div>

So there are two options for us here:

1) use <c:out> tag from jsp which insure us that XSS attack won't happen. Something like this:

<div><c:out value="<%=someValue%>" /></div>

which is not so hard to apply this for all your 200 pages.

2) write some java codes to check if the value has XSS volnerability. You might get someValue from a Java class like this:

String someValue = MyClass.getSomeValue();

So in getSomeValue method you should check some patterns.

I wrote some Java patterns for XSS detection and I bring them for you here:

private static Pattern[] patterns = new Pattern[]{
        // Script fragments
        Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
        // src='...'
        Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
        Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
        // lonely script tags
        Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
        Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
        // eval(...)
        Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
        // expression(...)
        Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
        // javascript:...
        Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
        // vbscript:...
        Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
        // onload(...)=...
        Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
};

public static Boolean strongCheckForXSS(String input) {
    if (input == null)
        return false;
    for (Pattern p : patterns)
        if (p.matcher(input).find())
            return true;
    return false;
}
Mohsen
  • 4,536
  • 2
  • 27
  • 49