There are many ways to handle XSS or Cross side scripting problems in Java, J2EE, Struts, Spring and JSP. This post covers most popular tools and ways to do that. In this post I will explain about tools like
Ways to fix XSS issues in Java
Servlet Filters: This is the most common way perhaps to have a inbound servlet filter, that intercepts each incoming request and wraps it in a HttpRequestWrapper that returns each parameter value cleaned from XSS possibilities. One can see the Code Snippet here. The approach shown in this example is pretty simple the request wrapper cleans the script tag and the < and > symbols. So this solution is not protecting you from SQL Injection attacks by default. So if one needs more secure filtering one can mix it with the libraries like Reform, XssProtect or AntiXss. So this mix and match solution will give you a good solution.
JSP Printing: The other way to safeguard yourself is to not to use scriplets like <%= at all for printing any data that carries user inputted values. Instead of using scriplet one can use tags that escape the value printed in HTML, like c:out. This tag by default escapes all the XML tags. So even in some hacker has added some script or other malicious item in request data. You will be safe.
Cookie: Its best to exchange cookies in secure mode. Try to use HTTPS/SSL only in case of public sites with crucial transactions. So if one is using HTTPS and cookies, the java Cookie object’s “setSecure()” method should be called to ensure that “the browser will send the cookie using a secure protocol only, such as HTTPS or SSL”.
ViewHelpers / Renders: If one is preparing some HTML to be rendered in View Helper/Renders. One can use libraries like Reform. this will ensure that any this risky is properly encoded and cleaned to be written as HTML.
Tools to fix XSS issues in Java
HDIV : If you are having a MVC based J2EE App that uses either Struts or Spring the best solution available today is HDIV, this tool is complaint with all possible standards laid out by OWASP. The cipher and hash mechanism employed ensures that each tampered request is always detected and failed to do any security breach. This library requires very less integration effort, because it overrides the existing tags in both spring and struts. So one can just keep on using the existing code after doing the minimal setup. One can also use HDIV with plain JSTL tags, it overrides the CORE library for c:url and c:redirect tags.
Reform : This library is released by OWASP for Java. Its basically useful for encoding various HTML stuff like HTML Code, attributes, javascript stuff.
XssProtect : This library is available at google code project. Its a pluggable filter based mechanism that supports addition of custom filters too. This library developers say that its tested against all tests mentioned in http://ha.ckers.org/xss.htm
Anti XSS For Java : This library is port of Microsoft Anti Xss Library to Java. So is anyone is familiar with Microsoft version and will be more comfortable to use this library. It again gives a couple of methods useful for encoding HTML code, attributes and script stuff against XSS.
Launched in 2015, used by 9000+ worldwide users. It's a suite of tools for Salesforce consultants, architects, admins & developers.
Comments (4)
Anonymoussays:
December 16, 2011 at 11:02 amvery nice article regarding Web Application Security thanks Tuna
Anonymoussays:
December 16, 2011 at 11:12 amThanks Tuna, I'm glad you liked it.
Anonymoussays:
May 24, 2013 at 6:30 amHi,I want to know whether HDIV can be used only with JSP.Can I use HTML+Thymeleaf as front endReply as soon as possibleThank you
Anonymoussays:
May 24, 2013 at 10:14 am@Chandan, as following quoted is mentioned in hdiv.org” This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC & JSTL, Grails, JSF in a transparent way to the programmer and without adding any complexity to the app”It seems you should be fine in using it with JSP only.