Fix Checkmarx XSS Vulnerabilities

Question

Checkmarx is giving XSS vulnerability for following method in my Controller class. Specifically: This element’s value (ResultsVO) then flows through the code without being properly sanitized or validated and is eventually displayed to the user in method:

 @RequestMapping(value = "/getresults", method = RequestMethod.POST, produces = "application/json")
    @ResponseBody
    public ResultsVO getConfigResults(@RequestBody ResultsVO resultsVO, HttpServletRequest request)
            throws OverrideApplicationException {
        String loggedUserId = request.getHeader("USER");
        return resultsService.getConfigResults(resultsVO, loggedUserId);
    }

The ResultsVO object has a lot of String attributes and I'm just wondering is there an elegant way to encode them to prevent this vulnerabilty.

Answer 1

Try this -- It worked for me :)

resultsVO = SecurityUtil.sanitizeObject(resultsVO, ResultsVO.class);

---

public static <T> T sanitizeObject(Object object, Class<T> classOfT){
        Gson gson = new Gson();
        String json = Jsoup.clean(StringEscapeUtils.escapeHtml4(gson.toJson(object)), Whitelist.basic());
        return gson.fromJson(json, classOfT);
    }

Checkmarx will pass your reported issue. :)

Hope it will help - Upvote if worked

Answer 2

You to need to remove escape characters like Html/Js scripts from it. You need to use Jsoup and apache-commons library to escape Html/Javascript code.

Example:

    String loggedUserId = Jsoup.clean( 
        org.apache.commons.lang.StringEscapeUtils.escapeHtml(
        org.apache.commons.lang.StringEscapeUtils.escapeJavaScript(  
          request.getHeader("USER")
        )));