February 18, 2009

Java J2ee Struts Spring JSP Cross Side Scripting or XSS framework library tools

There are many ways to handle XSS or Cross side scripting problems in Java, J2EE, Struts, Spring and JSP. This post covers most popular tools and ways to do that. In this post I will explain about tools like

Ways to fix XSS issues in Java



  1. Servlet Filters: This is the most common way perhaps to have a inbound servlet filter, that intercepts each incoming request and wraps it in a HttpRequestWrapper that returns each parameter value cleaned from XSS possibilities. One can see the Code Snippet here. The approach shown in this example is pretty simple the request wrapper cleans the script tag and the < and > symbols. So this solution is not protecting you from SQL Injection attacks by default. So if one needs more secure filtering one can mix it with the libraries like Reform, XssProtect or AntiXss. So this mix and match solution will give you a good solution.
  2. JSP Printing: The other way to safeguard yourself is to not to use scriplets like <%= at all for printing any data that carries user inputted values. Instead of using scriplet one can use tags that escape the value printed in HTML, like c:out. This tag by default escapes all the XML tags. So even in some hacker has added some script or other malicious item in request data. You will be safe.
  3. Cookie: Its best to exchange cookies in secure mode. Try to use HTTPS/SSL only in case of public sites with crucial transactions. So if one is using HTTPS and cookies, the java Cookie object's "setSecure()"  method should be called to ensure that "the browser will send the cookie using a secure protocol only, such as HTTPS or SSL".
  4. ViewHelpers / Renders: If one is preparing some HTML to be rendered in View Helper/Renders. One can use libraries like Reform. this will ensure that any this risky is properly encoded and cleaned to be written as HTML.

Tools to fix XSS issues in Java

  1. HDIV : If you are having a MVC based J2EE App that uses either Struts or Spring the best solution available today is HDIV, this tool is complaint with all possible standards laid out by OWASP. The cipher and hash mechanism employed ensures that each tampered request is always detected and failed to do any security breach.  This library requires very less integration effort, because it overrides the existing tags in both spring and struts. So one can just keep on using the existing code after doing the minimal setup. One can also use HDIV with plain JSTL tags, it overrides the CORE library for c:url and c:redirect tags.
  2. Reform : This library is released by OWASP for Java. Its basically useful for encoding various HTML stuff like HTML Code, attributes, javascript stuff.
  3. XssProtect : This library is available at google code project. Its a pluggable filter based mechanism that supports addition of custom filters too. This library developers say that its tested against all tests mentioned in http://ha.ckers.org/xss.htm
  4. Anti XSS For Java : This library is port of Microsoft Anti Xss Library to Java. So is anyone is familiar with Microsoft version and will  be more comfortable to use this library. It again gives a couple of methods useful for encoding HTML code, attributes and script stuff against XSS.

February 13, 2009

XSS Testing Acceptance Tools Software Frameworks comparison

This post covers the free or paid tools and software available for XSS or Cross Side Scripting testing. These tools are not specific to any programming language and can used with any of .NET, Java, J2EE, PHP, Ruby or Python web applications.

These days I was researching around good tools to test XSS vulnerability on a given website. I came across a couple of tools foolowing are the results of my experience with them.
  • Paid Tools
  1. IBM App Scan:  App Scan looks like a good tool, but its free editions are only available for testing with the IBM's test site. So it was again of no use for me. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  2. WebInspect : This looks like a good product from HP. But the problem is its not for free and the dependencies on Ms SQL Server 2005 makes it even more difficult to install and use. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  • FREE Tools (Automatic/semi automatic)
  1. Firefox GreaseMonkey plugin with  user script provided by whiteacid. This solution didn't worked at all for me, I tried to hit "User Script Commands > Start XSSing Forms" on my required forms. But nothing happened.
  2. Nikto : Its a good tool for scanning web servers for problems. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). This can be useful to test your webservers for various port and known security limitations. Its used by Salesforce for there security checks, so you can be assured on its quality and  its for free :).
  3. Xss Me : This tool is a Firefox plugin.  Its the one I enjoyed most working with. Its pretty simple to use, you can make a XSS test on any web form opened in firefox, merely by right clicking and selecting "Open XSS Me SideBar" and hitting "Test All forms with all attacks". The scanning reports are good and pretty detailed too. Its a great tool to use and its for free.
  4. Sql Inject Me : Again from same company as of Xss Me. Its for testing SQL Injection with a similar interface as of XSS Me. Definitely a tool that I would recommend to use. Again its for free.
  • FREE Proxy based manual testing tools
  1. Burp Proxy : Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions. So its again a manual testing tool and its for free.
  2. Fiddler : Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
  3. Paros ProxyParos is a good tool for manually tampering the get and post requests. So one can modify any outgoing request params with javascript xss stuff  like script, eval etc for testing. The only issue with this is your need to change your proxy settings in browser to point to Paros to make it working.
  4. OWASP WebScarab Project : Its a proxy based testing tool from OWASP. Its written in Java and allows you to intercept and modify HTTP and HTTPS requests.
  5. WebScarab (Next Generation) Project : WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform  to provide the user interface features.
  6. etc

February 10, 2009

IE javascript table createElement tr not working error cells[0] undefined

In IE, if one tries to create a javascript table object followed by creation of row and cell objects it doesn't works. The document.createElement() API is not working error for Internet Explorer and one gets the cells[0] undefined error.

The complete scenario is as follows:

I recently faced this error on Internet Explorer only. I created table, rows and cells using JS as follows
----------------------------------------------------------------------------
// Utility function to create Tag in browser neutral way
function createTag(parent,tag) {
var createdTag = null;
if(isIE) {
createdTag =  document.createElement("<" + tag + ">");
} else {
createdTag  = document.createElement(tag);
}
if(parent) {
parent.appendChild(createdTag );
}
return createdTag;
}

// Code snippet that creates a Table Row and then cell inside the table row. This was failing in IE (Internet explorer)

var tblBody =document.getElementById("tblObjId");
var tr = createTag(tblBody, "tr");
var td = createTag(tr, "td");
// error was coming for this line
tr.cells[0].innerHTML = "<i>First cell</i>";
----------------------------------------------------------------------------
In IE javascript error undefined started coming when I tried to access the row cell using  tr.cells[0].
This code snippet was working well in all other browsers. The simple fix to this problem is to fix it as follows.

var tblBody =document.getElementById("tblObjId");
// 1. Create a <tbody> tag inside table object first
var tbody = createTag(tblBody, "tbody");
// 2. Create all the required rows inside the TBODY object
var tr = createTag(tbody, "tr");
var td = createTag(tr, "td");
// Now this code will work fine on any browser
tr.cells[0].innerHTML = "<i>First cell</i>";

February 9, 2009

Javascript IE setAttribute("class", or getAttribute("class") className error

In Internet explorer the Javascript setAttribute("class", ) or getAttribute("class") method doesn't works or gives error in some versions. So instead of that one case use the "className" attribute for a given DOM element.

Code Snippet and description for this is following

To change "class" attribute of a HTML DOM element we usually use the following syntax

DOMObject.setAttribute("class", "NewCSSClassName");

where "NewCSSClassName" is the name of new CSS class for the HTML DOM element.

This thing works fine in all browsers except IE. In IE to read or write "class" attribute to a HTML DOM element use "className" attribute instead. This "className" attribute works well in all browsers.

So the above code snippet after changing the property will look as below:

DOMObject.className = "NewCSSClassName";