Prevent XSS security threat in spring application

What is XSS (Cross Site Scripting):

XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool. Click here to know more about XSS.

How does it work?
Most web applications have forms to receive inputs from user. A form having text field can be exploited by a hacker.
A hacker can input javascript code e.g. or eval(“”) in the *userid* text field. When the form is
submitted, the server does process it & returns. This is not the scenario we want to happen.

Suppose your form looks like this (using spring tags):

The hacker may input something like ” jeevanalert(“I won.”) ”  in the text field. When the page is submitted, the page is returned with error as the user is not authenticated.

Solution:
If the input-text is changed into the html-escape-sequences during processing on server, then browser will receive
the escape-sequences. The resultant text would not be a valid java-script and browser will not execute it.

After conversion into html-escape-sequences, the above code would look like:

 
Since all instances of characters ‘<‘, ‘>’ and other non-alpha-numeric characters are converted into html-character-sequence, it is no longer a java-script code. So, it will not be executed by the browser.

Solution with Spring MVC In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options
to encode the html-escape-sequences on server side.

  • At global level, it can be defined in web.xml file. This will be applicable to the entire application. All form-tags would refer
    to this definition. The sample code is shown below:
  • At page level, it is defined as a tag-declaration. The code is: Any form-tag, after the above declaration uses html-escape-sequence-encoding.
  • Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :

Depending upon the requirement, it can be implemented as global, page or tag level.

Filter Approach:
 Another solution to the XSS issue is to filter all the textfields in the form at the time of submitting the form. It needs XML entry in the web.xml file & two simple classes.

The code for the  first class named CrossScriptingFilter.java is:

The code second class named RequestWrapper.java is:

The only thing remained is the XML entry in the web.xml file:

The <url-pattern>/*</url-pattern> indicates that for every request made from browser, it will call CrossScriptingFilter  class. Which will parse all the components/elements came from the request & will replace all the javascript tags put by the hacker with empty string i.e. “”.

We have fours approaches to prevent the XSS threat.
You have to choose the approach according to your need.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s