XSS cross site scripting attack prevention
hi all,
first, i don't know if this question should be posted in this forum. If not, please let me know.
i'm trying to find a solution for this issue. I've searched but couldn't find a clear answer about preventing from XSS in websphere 5.0.
another question is if we use the filtering and encoding solution in the servlets, how could it prevent us from a script inserted and executed before the data is sent to the servlet? (or this scenario cannot be realized?)
thanks in advance.
[518 byte] By [
zada_bha] at [2007-11-27 10:20:40]
# 1
> first, i don't know if this question should be posted
> in this forum. If not, please let me know.
Seems like the right forum to me :-)
> i'm trying to find a solution for this issue. I've
> searched but couldn't find a clear answer about
> preventing from XSS in websphere 5.0.
I doubt you're going to find a solution to XSS within WebSphere. You might look for something called "Active Content Filter", but I think that's only used for Lotus DWA. Your application itself really needs to account for this type of attack. There are two primary countermeasures for stopping XSS. An application should do both for a defense-in-depth approach. First, validate input data.Since you're in a Java environment, you can use a filter as a quick and dirty solution - see http://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest. Second, encode data upon output. This simply means converting special characters into HTML entity references - see http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
> another question is if we use the filtering and
> encoding solution in the servlets, how could it
> prevent us from a script inserted and executed before
> the data is sent to the servlet? (or this scenario
> cannot be realized?)
I don't understand. Can you explain further?
# 2
hi,
thanks for ur speedy reply. :-)
i'll try it as soon as possible.
Concerning my second question: i just wanted to know where will the filtering occur? in the jsp or in the servlet?
in case it is done in the servlet, and the hacker inserted a script in the jsp, the script will be executed before it arrives to the servlet (before data filtering).
Thanks again.
# 3
> Concerning my second question: i just wanted to know
> where will the filtering occur? in the jsp or in the
> servlet?
> in case it is done in the servlet, and the hacker
> inserted a script in the jsp, the script will be
> executed before it arrives to the servlet (before
> data filtering).
You're talking as if JSPs and servlets are different. A JSP *is* a servlet. If you protect correctly, a hacker will not be able to insert a malicious script anywhere in your web app.Don't worry about JSP vs. servlet. You should think about it in terms of the HTTP requests and responses that are happening. All requests from the client should go to the filter. The filter is like a preprocessor that stops potentially dangerous requests (filter may need to be tuned for your particular data). Responses should be encoded prior to being sent to the client.
# 4
Simply stated it comes down to input parameter validation and output value HTML encoding. Make sure that all your GET and POST parameter values are validated against a known set catching suspicious characters like '<','>'. Also HTML encode all output that is displayed that can be user input data. This is more a hole in the application and not specific to webSphere or any other app server.
edsuma at 2007-7-28 17:05:01 >
# 5
Thanks a lot for your posts. I'll implement it as soon as possible.
In addition to this method for preventing from XSS attacks, an audit company proposed to set the "http-only" and "secure" attributes in the cookies. Does it have to be set on the server side? and how?
P.S.: we're using IBM Http Server. Should we include some modules (comparing to apache install the mod_perl and compile a perl script where we define these two parameters)?
Thanks again.
# 6
The reason for having the Secure and HttpOnly flags is that they help prevent a session ID from being compromised. You need to know what piece of software is setting the cookie (Http Server? WebSphere?). Then you can search for configuration settings to allow you to set the flags. In an ASP.NET environment (for example) in the web.config file you can configure it like this:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
Unfortunately, the standard web.xml in Java doesn't have these options.
# 7
Aha. I think it's not related to websphere. It's more related to server (browser). In this case, how/where to configure these two parameters on the server side? I've tried to search about it, but all the answers are on the ASP .NET. Can you give me references about the config if it is possible?
Thank you.
