XSS (Cross-site Scripting) is one of the most common vulnerabilities with a web-application. And, it can be exploited by hackers very easily without using any sophisticated tool.
How does it work? Most web-applications have forms (text-box etc.) to receive input-data from user. So, a web-application may have a input-text-field to get 'user-id'. The hacker may enter anything in it including "JavaScript". If the hacker enters JavaScript (a malicious code), the server may process it, and then return it. In this case, user-id is not authenticated and it is sent as it is on the error page.
If the user's input data is returned as it is, the java-script code may execute. And, hacker wins!!
To explain further, the jsp-code may look like as shown below (using Spring MVC Form Tags):
1 <form:form id="personForm"> 2 <form:input path="name" /> 3 <input type="submit" value="Submit"> 4 </form:form>
This will show a simple screen with an input-box and a submit button. The hacker may enter following code:
1 ">Hacker<script>alert("I am destroyer");</script>
When the page is submitted, the page is returned with error as the user is not authenticated. The error page will have the 'name' value too. In this case, the expanded page would look like:
1 <form id="personForm"> 2 <input type="text" name="name" value="">Hacker <script>alert("I am destroyer");</script>"/> 3 <input type="submit" value="Submit"> 4 </form>
And, while loading this page, the browser may run the script. The hacker may put anything as the java-script.
What is the solution? HTML 4.0 defines 252 Character entities (escape sequences), which include most of characters (excluding alpha-numeric) used to design HTML pages. If the input-text is changed into the html-escape-sequences during processing on server, then browser will receive the escape-sequences. The resultant text would not be a valid java-script and browser will not execute it.
After conversion into html-escape-sequences, the above code would look like:
1 <form id="personForm"> 2 <input type="text" name="name" value="">Hacker<script>alert("I am destroyer");</script>"/> 3 <input type="submit" value="Submit"> 4 </form>
Since all instances of characters '<', '>' and other non-alpha-numeric characters are converted into html-character-sequence, it is no longer a java-script code. So, it will not be executed by the browser. For more information on HTML-escape-entities (escape sequences), refer WiKi: http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
Solution with Spring MVC In Spring-MVC, form-tags are used to create jsp page. Spring MVC provides multiple options to encode the html-escape-sequences on server side.
- At global level, it can be defined in web.xml file. This will be applicable to entire application. All form-tags would refer to this definition. The sample code is shown below:
1 <context-param> 2 <param-name>defaultHtmlEscape</param-name> 3 <param-value>true</param-value> 4 </context-param>
- At page level, it is defined as a tag-declaration. The code is: Any form-tag, after the above declaration uses html-escape-sequence-encoding.
1 <spring:htmlEscape defaultHtmlEscape="true" />
- Third option is to define it as attribute for each form-tag. For example, a input-text can be defined as :
1 <form:input path="name" htmlEscape="true" />
Depending upon requirement, it can be implemented as global, page or tag level.
For more information on XSS, you can refer WiKi: http://en.wikipedia.org/wiki/Cross-site_scripting
2 comments:
hey i tried all 3 approaches... in the web.xml, top of the (display, and input pages), and on the input control.
but it doesn't seem to escape it. the javascript/html code just executes (browser) when viewing usin ${varname}
is there other configuration or dependency on the type of view etc? tiles matter?
Nice brief and this fill someone in on helped me alot in my college assignement. Thanks you seeking your information.
Post a Comment