• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Servlet Filter for XSS prevention

 
deepak
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My application has been through security audit and I was told that there are XSS issues (parameters passed through URL are stored without filtering and that ouput is not entity encoded to take care of html metacharacters).

I have 2 questions:

1. I am planning to use servlet filter with antisamy to filter user input to script tag presence (http://bazageous.wordpress.com/). Does it takes care of all html metacharaters? Which policy file i should use, there is no requirement to enter html input.
2. How can i replicate this issue? I have tried injecting a. <BR SIZE="&{alert('XSS')}">
b. <script>alert(123)</script> with other user inputs through text fields but NO success in creating a alert while rendering jsp (through JSON and extJS). please suggest how can i reproduce this issue? the application does not take care of xss as of today
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64990
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. That's a question best answered by the author or by inspecting the code.
2. The problem is unlikely to manifest when simply returning info as JSON, as that's just data. It depends what you do with that data.

The easiest way to replicate the problem is to enter a script tag as a value that gets displayed in a JSP. Using <c:out> when displaying unsafe data solves 99% of the problem.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic