February 18, 2009

Java J2ee Struts Spring JSP Cross Side Scripting or XSS framework library tools

There are many ways to handle XSS or Cross side scripting problems in Java, J2EE, Struts, Spring and JSP. This post covers most popular tools and ways to do that. In this post I will explain about tools like

Ways to fix XSS issues in Java



  1. Servlet Filters: This is the most common way perhaps to have a inbound servlet filter, that intercepts each incoming request and wraps it in a HttpRequestWrapper that returns each parameter value cleaned from XSS possibilities. One can see the Code Snippet here. The approach shown in this example is pretty simple the request wrapper cleans the script tag and the < and > symbols. So this solution is not protecting you from SQL Injection attacks by default. So if one needs more secure filtering one can mix it with the libraries like Reform, XssProtect or AntiXss. So this mix and match solution will give you a good solution.
  2. JSP Printing: The other way to safeguard yourself is to not to use scriplets like <%= at all for printing any data that carries user inputted values. Instead of using scriplet one can use tags that escape the value printed in HTML, like c:out. This tag by default escapes all the XML tags. So even in some hacker has added some script or other malicious item in request data. You will be safe.
  3. Cookie: Its best to exchange cookies in secure mode. Try to use HTTPS/SSL only in case of public sites with crucial transactions. So if one is using HTTPS and cookies, the java Cookie object's "setSecure()"  method should be called to ensure that "the browser will send the cookie using a secure protocol only, such as HTTPS or SSL".
  4. ViewHelpers / Renders: If one is preparing some HTML to be rendered in View Helper/Renders. One can use libraries like Reform. this will ensure that any this risky is properly encoded and cleaned to be written as HTML.

Tools to fix XSS issues in Java

  1. HDIV : If you are having a MVC based J2EE App that uses either Struts or Spring the best solution available today is HDIV, this tool is complaint with all possible standards laid out by OWASP. The cipher and hash mechanism employed ensures that each tampered request is always detected and failed to do any security breach.  This library requires very less integration effort, because it overrides the existing tags in both spring and struts. So one can just keep on using the existing code after doing the minimal setup. One can also use HDIV with plain JSTL tags, it overrides the CORE library for c:url and c:redirect tags.
  2. Reform : This library is released by OWASP for Java. Its basically useful for encoding various HTML stuff like HTML Code, attributes, javascript stuff.
  3. XssProtect : This library is available at google code project. Its a pluggable filter based mechanism that supports addition of custom filters too. This library developers say that its tested against all tests mentioned in http://ha.ckers.org/xss.htm
  4. Anti XSS For Java : This library is port of Microsoft Anti Xss Library to Java. So is anyone is familiar with Microsoft version and will  be more comfortable to use this library. It again gives a couple of methods useful for encoding HTML code, attributes and script stuff against XSS.