In my current project we are using Servlets & JSP's. We are facing below listed Security problems
1. Cross-Site Scripting
2. Stored Cross-Site Scripting
3. Phishing Through Frames
4. Link Injection
Could you please kindly provide your valuable suggestions/solution to overcome these issues.
Thanking you in advance for your generous support.
One thing that can help to prevent XSS is to use either JSTL or JSF
Both of those will escape the html.
vasu Sanaboina wrote:But its very difficult to scan all the fields and URLs. Each screen has 100 of fields. it obviously decrease the performance.
vasu Sanaboina wrote:But its very difficult to change all the fields to that script. that to some fields are generating in java side i.e. dynamically forming in java and populating in jsp. mine is big project.
Neither task is difficult, just time-consuming to implement. But there is no substitute for application security, so it's not like you have a choice. Plus, performance is almost always subservient to security, so again, you have it backwards. I found some useful starting points in the FAQ right here: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps
Since the majority of your issues seem to be related to XSS, you may want to take a good look at https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet . Especially rules #1 and #2.
As far as having hundreds of fields to scan, is there a way using OOP can help overcome this? What does your "FieldWriter" object do?
Please if any one has proper solution. kindly let me know.
Thanking in advance for your valid response.