0

Is there any alternative way to prevent XSS attack than OWASP XSS filter software? I need suggestion if it is possible to prevent at apache level. I am not security expert so need detailed information. Thanks for your help

Ripon Al Wasim
  • 36,924
  • 42
  • 155
  • 176
user1095983
  • 7
  • 1
  • 4

2 Answers2

2

XSS issues occur in presentation layer when the data is displayed to the end user. So preventing this at apache level is not a valid approach.

OWASP ESAPI is a library (not a filter software) that provides XSS protection as an API to encode data in presentation layer. Whenever something that is affected from user input is to be displayed, proper encoding should be applied. For example, OWASP XSS prevention Cheat Sheet have the following example for Javascript context:

String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

and this one for "HTML attribute" context:

String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );

Proper encoding varies depending on current context (html, html attribute, javascript etc..)

If you prefer not to use OWASP library, you can do encoding by using other libraries like apache.commons.StringEscapeUtils. But you need to be very careful in choosing the correct method for your context.

mesutozer
  • 2,839
  • 1
  • 12
  • 13
  • My examples from OWASP ESAPI was just to describe the need for a different encoding depending on the context. You can use other libraries but you need to consider your context – mesutozer Mar 21 '14 at 08:06
  • I have already tried XSS ESAPI in my java application. But there is one problem. we have method in all over application calling getRemoteUser from HttpServeletRequestWrapper which is eventuall reads from _getHttpServletRequest().getRemoteUser(). But after introducing xss filter, the username always come as anonymous as xss request wrapper overrides this. – user1095983 Mar 21 '14 at 08:53
0

Another approach is to perform dynamic application scanning testing (DAST) exporting filters found that are then imported into a web application firewall.

Web application firewall can be deployed as part of your Apache server. ModSecurity is an example of such firewall

Yakov Zaytsev
  • 1
  • 1