How to prevent XSS in java web application? [duplicate] - javascript

How can I prevent XSS attacks in a JSP/Servlet web application?

XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL function when (re)displaying user-controlled input. This includes request parameters, headers, cookies, URL, body, etc. Anything which you extract from the request object. Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying.
For example:
<p><c:out value="${bean.userControlledValue}"></p>
<p><input name="foo" value="${fn:escapeXml(param.foo)}"></p>
This will escape characters which may malform the rendered HTML such as <, >, ", ' and & into HTML/XML entities such as <, >, ", &apos; and &.
Note that you don't need to escape them in the Java (Servlet) code, since they are harmless over there. Some may opt to escape them during request processing (as you do in Servlet or Filter) instead of response processing (as you do in JSP), but this way you may risk that the data unnecessarily get double-escaped (e.g. & becomes &amp; instead of & and ultimately the enduser would see & being presented), or that the DB-stored data becomes unportable (e.g. when exporting data to JSON, CSV, XLS, PDF, etc which doesn't require HTML-escaping at all). You'll also lose social control because you don't know anymore what the user has actually filled in. You'd as being a site admin really like to know which users/IPs are trying to perform XSS, so that you can easily track them and take actions accordingly. Escaping during request processing should only and only be used as latest resort when you really need to fix a train wreck of a badly developed legacy web application in the shortest time as possible. Still, you should ultimately rewrite your JSP files to become XSS-safe.
If you'd like to redisplay user-controlled input as HTML wherein you would like to allow only a specific subset of HTML tags like <b>, <i>, <u>, etc, then you need to sanitize the input by a whitelist. You can use a HTML parser like Jsoup for this. But, much better is to introduce a human friendly markup language such as Markdown (also used here on Stack Overflow). Then you can use a Markdown parser like CommonMark for this. It has also builtin HTML sanitizing capabilities. See also Markdown or HTML.
The only concern in the server side with regard to databases is SQL injection prevention. You need to make sure that you never string-concatenate user-controlled input straight in the SQL or JPQL query and that you're using parameterized queries all the way. In JDBC terms, this means that you should use PreparedStatement instead of Statement. In JPA terms, use Query.
An alternative would be to migrate from JSP/Servlet to Java EE's MVC framework JSF. It has builtin XSS (and CSRF!) prevention over all place. See also CSRF, XSS and SQL Injection attack prevention in JSF.

The how-to-prevent-xss has been asked several times. You will find a lot of information in StackOverflow. Also, OWASP website has an XSS prevention cheat sheet that you should go through.
On the libraries to use, OWASP's ESAPI library has a java flavour. You should try that out. Besides that, every framework that you use has some protection against XSS. Again, OWASP website has information on most popular frameworks, so I would recommend going through their site.

I had great luck with OWASP Anti-Samy and an AspectJ advisor on all my Spring Controllers that blocks XSS from getting in.
public class UserInputSanitizer {
private static Policy policy;
private static AntiSamy antiSamy;
private static AntiSamy getAntiSamy() throws PolicyException {
if (antiSamy == null) {
policy = getPolicy("evocatus-default");
antiSamy = new AntiSamy();
}
return antiSamy;
}
public static String sanitize(String input) {
CleanResults cr;
try {
cr = getAntiSamy().scan(input, policy);
} catch (Exception e) {
throw new RuntimeException(e);
}
return cr.getCleanHTML();
}
private static Policy getPolicy(String name) throws PolicyException {
Policy policy =
Policy.getInstance(Policy.class.getResourceAsStream("/META-INF/antisamy/" + name + ".xml"));
return policy;
}
}
You can get the AspectJ advisor from the this stackoverflow post
I think this is a better approach then c:out particular if you do a lot of javascript.

Managing XSS requires multiple validations, data from the client side.
Input Validations (form validation) on the Server side. There are multiple ways of going about it. You can try JSR 303 bean validation(hibernate validator), or ESAPI Input Validation framework. Though I've not tried it myself (yet), there is an annotation that checks for safe html (#SafeHtml). You could in fact use Hibernate validator with Spring MVC for bean validations -> Ref
Escaping URL requests - For all your HTTP requests, use some sort of XSS filter. I've used the following for our web app and it takes care of cleaning up the HTTP URL request - http://www.servletsuite.com/servlets/xssflt.htm
Escaping data/html returned to the client (look above at #BalusC explanation).

I would suggest regularly testing for vulnerabilities using an automated tool, and fixing whatever it finds. It's a lot easier to suggest a library to help with a specific vulnerability then for all XSS attacks in general.
Skipfish is an open source tool from Google that I've been investigating: it finds quite a lot of stuff, and seems worth using.

There is no easy, out of the box solution against XSS. The OWASP ESAPI API has some support for the escaping that is very usefull, and they have tag libraries.
My approach was to basically to extend the stuts 2 tags in following ways.
Modify s:property tag so it can take extra attributes stating what sort of escaping is required (escapeHtmlAttribute="true" etc.). This involves creating a new Property and PropertyTag classes. The Property class uses OWASP ESAPI api for the escaping.
Change freemarker templates to use the new version of s:property and set the escaping.
If you didn't want to modify the classes in step 1, another approach would be to import the ESAPI tags into the freemarker templates and escape as needed. Then if you need to use a s:property tag in your JSP, wrap it with and ESAPI tag.
I have written a more detailed explanation here.
http://www.nutshellsoftware.org/software/securing-struts-2-using-esapi-part-1-securing-outputs/
I agree escaping inputs is not ideal.

My personal opinion is that you should avoid using JSP/ASP/PHP/etc pages. Instead output to an API similar to SAX (only designed for calling rather than handling). That way there is a single layer that has to create well formed output.

If you want to automatically escape all JSP variables without having to explicitly wrap each variable, you can use an EL resolver as detailed here with full source and an example (JSP 2.0 or newer), and discussed in more detail here:
For example, by using the above mentioned EL resolver, your JSP code will remain like so, but each variable will be automatically escaped by the resolver
...
<c:forEach items="${orders}" var="item">
<p>${item.name}</p>
<p>${item.price}</p>
<p>${item.description}</p>
</c:forEach>
...
If you want to force escaping by default in Spring, you could consider this as well, but it doesn't escape EL expressions, just tag output, I think:
http://forum.springsource.org/showthread.php?61418-Spring-cross-site-scripting&p=205646#post205646
Note: Another approach to EL escaping that uses XSL transformations to preprocess JSP files can be found here:
http://therning.org/niklas/2007/09/preprocessing-jsp-files-to-automatically-escape-el-expressions/

If you want to make sure that your $ operator does not suffer from XSS hack you can implement ServletContextListener and do some checks there.
The complete solution at: http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html
#WebListener
public class EscapeXmlELResolverListener implements ServletContextListener {
private static final Logger LOG = LoggerFactory.getLogger(EscapeXmlELResolverListener.class);
#Override
public void contextInitialized(ServletContextEvent event) {
LOG.info("EscapeXmlELResolverListener initialized ...");
JspFactory.getDefaultFactory()
.getJspApplicationContext(event.getServletContext())
.addELResolver(new EscapeXmlELResolver());
}
#Override
public void contextDestroyed(ServletContextEvent event) {
LOG.info("EscapeXmlELResolverListener destroyed");
}
/**
* {#link ELResolver} which escapes XML in String values.
*/
public class EscapeXmlELResolver extends ELResolver {
private ThreadLocal<Boolean> excludeMe = new ThreadLocal<Boolean>() {
#Override
protected Boolean initialValue() {
return Boolean.FALSE;
}
};
#Override
public Object getValue(ELContext context, Object base, Object property) {
try {
if (excludeMe.get()) {
return null;
}
// This resolver is in the original resolver chain. To prevent
// infinite recursion, set a flag to prevent this resolver from
// invoking the original resolver chain again when its turn in the
// chain comes around.
excludeMe.set(Boolean.TRUE);
Object value = context.getELResolver().getValue(
context, base, property);
if (value instanceof String) {
value = StringEscapeUtils.escapeHtml4((String) value);
}
return value;
} finally {
excludeMe.remove();
}
}
#Override
public Class<?> getCommonPropertyType(ELContext context, Object base) {
return null;
}
#Override
public Iterator<FeatureDescriptor> getFeatureDescriptors(ELContext context, Object base){
return null;
}
#Override
public Class<?> getType(ELContext context, Object base, Object property) {
return null;
}
#Override
public boolean isReadOnly(ELContext context, Object base, Object property) {
return true;
}
#Override
public void setValue(ELContext context, Object base, Object property, Object value){
throw new UnsupportedOperationException();
}
}
}
Again: This only guards the $. Please also see other answers.

<%# page import="org.apache.commons.lang.StringEscapeUtils" %>
String str=request.getParameter("urlParam");
String safeOuput = StringEscapeUtils.escapeXml(str);

Related

URI encoding in ODataModel v2

I've created a SAPUI5 table widget and made sure that it works. Now, when clicking on a row, the detail view is loaded, but no data is present. The server exposes an entity Site with a primary key which is of type "string".
The client-side code is as follows (assume that oModel is ODataModel, sSiteCode is a string that may contain Cyrillic characters):
// sSiteCode may contain Cyrillic characters
var oKey = {
SiteCode: sSiteCode
};
var sPath = "/" + oModel.createKey("Sites", oKey);
this.getView().bindElement({path: sPath});
It turns out that, if sSiteCode = 'б' (i.e., contains Cyrillic characters), then a GET request will be sent (via batching) to the following URI:
http://<server>:<port>/odata/Sites('б')
However, the server is unable to parse this URI (and subsequently replies with a 404), as it doesn't know what encoding to use. I patched the method ODataModel.prototype._createRequestUrl as follows:
sNormalizedPath = this._normalizePath(sPath, oContext);
sNormalizedPath = encodeURI(sNormalizedPath); // my addition
Then it seems to work, for this particular case. I'm wondering if this is a bug or a feature, and what should I do next?
FYI, I'm using OpenUI5 1.32.11.
Instead of sending
http://<server>:<port>/odata/Sites('б')
The actual string sending to the server should be
http://<server>:<port>/odata/Sites(%27б%27)
Which is the result of the encodeURI() call. Since UI5 allows you to freely define the Models URL and its parameters you have to take care on the correct URI encoding (and all parameters).
So in my opinion this is not a bug but the down part of the possibility to configure the URI without "black-box" behaviour of UI5.

Preventing XSS Attack on Form

All:
I have an issue with a project I am working on using C# MVC4
In the project, I am accepting a URL and other parameters from a user, then do some processing and send the result of the processing to the URL provided by the user.
The result is being sent using the following code:
var context = HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", postUrl));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
Whenever a user attempts an XSS like passing a url value of javascript%3aalert('xss')%2f%2f, the JavaScript runs and the pop up shows up.
I've tried Antixss.HtmlEncode() to encode the URL before passing it into string.Format but still doesn't work. I've tried Antixss.UrlEncode() also, but this gives error as the form doesn't submit to the URL.
Please help me out, Is there something I am missing? What else can I do?
Thanks in advance.
You will need a three pronged approach to solve this issue.
Preventing XSS injection:
Note that if a user injected the url value
" /> <script>alert('xss')</script>
this would also leave you vulnerable:
<form name="myform" method="post" action="" /> <script>alert('xss')</script>" >
Therefore you should use the HttpUtility.HtmlAttributeEncode function to solve this one.
However, don't stop there. As noted, you should project against javascript: style URLs. For this I would ensure that the URL begins with http:// or https://. If not, throw a SecurityException which you should be logging and handling server-side, and showing the user a custom error page.
Finally, you want to protect against Open Redirect Vulnerabilities. This is to stop phishing attacks by redirecting users to other domains. Again, use a whitelist approach and ensure that the domain redirected to is one of your own. Be careful on the parsing here, as it is easy to get it wrong - a URL of http://example.org?http://example.com will pass the validation filter for example.com on many badly written validation routines. I recommend using the Uri object in .NET and retrieving the domain through that rather than rolling your own string functions.
You could also check if the URL is a relative URL, and allow it if acceptable. Use something like this function which uses a built in .NET library to ensure that it is relative or not.
Just a thought - try putting this script in rather than just document.myform.submit (and remove the form's action property):
if("{0}".indexOf('http') !== 0) {
//this is some sort of injection, or it's pointing at something on your server. Should cover http and https.
//Specifically, it makes sure that the url starts with 'http' - so a 'javascript' url isn't going to work.
} else {
document.myform.action="{0}"
document.myform.submit();
}
There is more you could do, but this should help.
Since you are adding the postUrl as an attribute "action" of the form tag, you can try using HtmlAttributeEncode method in the HttpUtility
[ValidateInput(false)]
public ActionResult Test(string url)
{
var context = System.Web.HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", HttpUtility.HtmlAttributeEncode(url)));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
return null;
}
http://localhost:39200/home/test?url=https%3A%2F%2Fwww.google.com - Worked
http://localhost:39200/home/test?url=%3Cscript%3Ealert(%27test%27)%3C%2Fscript%3E - Worked(Did not show alert)
It is always good practice to Validate the user input against a white list of inputs, to prevent XSS exploits.
try using HttpUtility.UrlEncode
something like Response.Write(HttpUtility.UrlEncode(urlString));
see How To: Prevent Cross-Site Scripting in ASP.NET for more steps =)

Passing Code as String

I have created a Web API that will receive Input from Jquery and will use this input to dynamically alter a string that's stored in a resource file.
This String happens to be an almost complete piece of vbscript code that I plan on passing back down to my website.
My problem is that the resource automatically "stringifies" the Code and the output is flooded with escape characters which renders it completly unusable as actual code.
Is there a way to store the code in a way that makes escape strings unneccesary while still enabling me to alter it similiar to "if it were a string" and pass it down to my Website?
The goal is to then use Jquery/Javascript to make this code into an actual vbscript file and let the user download it.
As per request here some Code.
public string GetDeployment(Deployment deployment)
{
string vbs = Resource1.vbs;
vbs = vbs.Replace("%environment%", deployment.SystemKind);
vbs = vbs.Replace("%platform%", deployment.PlatformKind);
vbs = vbs.Replace("%application%", deployment.ApplicationName);
vbs = vbs.Replace("%config", deployment.ConfigInfix ?? "Null");
vbs = vbs.Replace("%subFolder%", deployment.subFolder ?? "Null");
return vbs;
}
This method alters the vbscript depending on the Input. The API itself receives a JSON with Data for all the properties of deployment.
public class DeploymentController : ApiController
{
private DeploymentRepository DeploymentRepository;
public DeploymentController()
{
DeploymentRepository = new DeploymentRepository();
}
[HttpPost]
public string Post([FromBody]Deployment deployment)
{
return DeploymentRepository.GetDeployment(deployment);
}
}

Need help processing (not executing) javascript found on the page

I need to drive a website that is rendered almost entirely with javascript. I have been able to detect the rendered page and navigate it so far, however there are variables in the script that I'd like to process for some navigation decisions. I can identify tags using xpath but I can't get the text in between them. To be clear, I do not wish to execute javascript, just read the variables in the javascript on the page. I'm having trouble finding any documentation that spells out what I need. In one thread someone mentioned using a document object, but I'm not sure how to programatically get to that.
I'd really appreciate a hint here. Thanks very much in advance for your help.
I figured it out. WebDriver.getPageSource(). Since there were no parsers javascript I located the bits I wanted with a regular expression then converted the JSON into an object with simple json.
private String getRandomProvider(){
String shortName = "";
JSONArray providers;
String page = this.getPageSource();
Pattern pattern = Pattern.compile("domainBootstrap\\.providers = (\\[,?\\{.*\\}\\]);");
Matcher matcher = pattern.matcher(page);
if (matcher.find()){
try {
providers = (JSONArray) new JSONParser().parse(matcher.group(1));
int randomProvider = (int)(Math.random() * providers.size());
JSONObject provider = (JSONObject) providers.get(randomProvider);
shortName = provider.get("shortName").toString();
} catch (ParseException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return shortName;

Post processing Wicket response (Rhino, jQuery)

My question is if there is a way to simply post process wicket HTML response?
What I want to do is to apply some DOM transformations to the generated HTML using Rhino (http://www.mozilla.org/rhino/) and jQuery.
Anyone ever thought about it? Any suggestions where to start?
Best,
Maciej Wrzalik
OK, I've got this:
public class MyRequestCycle extends WebRequestCycle {
public MyRequestCycle(WebApplication application, WebRequest request, WebResponse response) {
super(application, request, response);
}
#Override
protected void onEndRequest() {
String responseString = response.toString();
//String newResponseString = process(responseString);
//replace old response content with the newResponseString
super.onEndRequest();
}
}
In method onEndRequest the string responseString contains HTML code that I'm going to alter some way using Rhino, Envjs and jQuery but the question is how can I replace the old response content with the new one?
Envjs emulates the browser environment under Rhino, and specifically allows you to do DOM manipulation server-side using jQuery. I have used it before in my projects, and have had good success. Relevant resources:
http://www.envjs.com/
http://ejohn.org/blog/bringing-the-browser-to-the-server/
If you want the post-processing done on the server, your best bet is likely to implement a Servlet Filter which modifies the response before it goes to the client.
As you're working on the rendered HTML, this has nothing particular to do with Wicket, and could be applied to html generated by any Java framework.
As suggested, a normal Java EE filter would work fine, if there's nothing Wicket-specific that you need for the processing.
But if you want to do it inside Wicket, for some reason or other, I suppose you could create your own RequestCycle implementation (MyRequestCycle extends WebRequestCycle) and do the processing there (perhaps by overriding onEndRequest and/or getWebResponse).
To use a custom RequestCycle, override newRequestCycle in your Application class:
#Override
public RequestCycle newRequestCycle(Request request, Response response) {
return new MyRequestCycle(this, (WebRequest) request, response);
}
I'm using custom a RequestCycle for a couple of things (e.g. this) myself—it's simple and straightforward—but I'm not 100% sure if it fits your needs here. (My Wicket experience is still somewhat limited.)

Categories