CSRF & XSS not working using HDIV

Question

I am using HDIV in my project for securing from OWASP list but text boxs are accepting <script>alert(1);</script> as an input and saving to db.

I want to write test case for all OWASP issue.

Below are the project configuration

web.xml Configuration

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>               
        WEB-INF/spring/applicationContext-db.xml
        WEB-INF/spring/spring-security.xml
        WEB-INF/spring/hdiv-config.xml
    </param-value>
</context-param>

webmvc-config.xml Configuration

<import resource="applicationContext-hdiv.xml" />

applicationContext-hdiv.xml Configuration

<beans>
    <bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor" />


<bean id="editableValidator" class="org.hdiv.web.validator.EditableParameterValidator"/>
    <mvc:annotation-driven validator="editableValidator" />
</beans>

hdiv-config.xml Configuration

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:hdiv="http://www.hdiv.org/schema/hdiv" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
               http://www.hdiv.org/schema/hdiv http://www.hdiv.org/schema/hdiv/hdiv.xsd">

            <hdiv:config excludedExtensions="css,js,ttf" errorPage="/manage/security-error" maxPagesPerSession="10" confidentiality="true" strategy="memory" randomName="true"> 
                <hdiv:sessionExpired loginPage="/main/common" homePage="/"/>
                <hdiv:startPages method="get">/,/.*,/manage/.*,/login</hdiv:startPages>
            </hdiv:config>

            <hdiv:validation id="customValidation" componentType="text">
                <hdiv:acceptedPattern><![CDATA[^[a-zA-Z0-9@.\-_]*$]]></hdiv:acceptedPattern>
                <hdiv:rejectedPattern><![CDATA[(\s|\S)*(--)(\s|\S)*]]></hdiv:rejectedPattern>
            </hdiv:validation>

            <hdiv:editableValidations registerDefaults="true">
                <hdiv:validationRule url=".*" enableDefaults="false">customValidation</hdiv:validationRule>
            </hdiv:editableValidations>         
        </beans>

score 2 · Answer 1 · answered Jan 03 '15 at 09:17

XSS is an output problem, not an input problem. Input validation is about making sure data is correct according to the domain. So for instance you want to check that a field expecting to take a year actually receives a number within the expected range. You may also want to make sure that only allowed characters are in use. And in many cases this will stop many attacks.

However for complex inputs, this is no longer viable. Consider a text field where you want to allow users to comment. The user should be allowed to to write a comment such as "An hence x < 4". Now we are allowing characters used to build html tags.

Now we have two options:

Use a tool to strip out dangerous HTML - likely to fail at some point
Use context aware escaping as described in the OWASP XSS prevention cheat sheet

score 0 · Answer 2 · answered Jan 05 '15 at 11:03

0

Remove 'requestDataValueProcessor' and 'editableValidator' beans from 'applicationContext-hdiv.xml' file, they are automatically created by tag.

Have a look at this project configuration for a working example: https://github.com/hdiv/hdiv-spring-mvc-showcase

answered Jan 05 '15 at 11:03

gillarramendi

271
1
8

Hi I have done all above configuration but it is still accepting and giving log as INFO: HDIV_PARAMETER_NOT_EXISTS;/Bhoomi/getSurveyList;255643103;null;0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;anonymous for ajax request and INFO: INVALID_CONFIDENTIAL_VALUE;/Bhoomi/manageMutation/addApplicantDetails;district;30;[19, 17, 18, 15, 16, 13, 14, 11, 12, 21, 20, 22, 23, 24, 25, 26, 27, 28, 29, 3, 2, 10, 1, 30, 7, 6, 5, 4, 9, 8];0:0:0:0:0:0:0:1;0:0:0:0:0:0:0:1;anonymousUser for controller request – Prashant Shah Jan 16 '15 at 06:07
Ok, HDIV is detecting the attack (INVALID_CONFIDENTIAL_VALUE). Now you have to manage the error (which is part of Spring MVC error stack) and show the form page again, like in this example: https://github.com/hdiv/hdiv-spring-mvc-showcase/blob/master/src/main/java/org/hdiv/samples/mvc/controllers/SQLStringInjectionController.java#L49 – gillarramendi Jan 16 '15 at 12:53
Hi Thanks for reply. My controller is not printing any error for same only logs are coming as (INVALID_CONFIDENTIAL_VALUE), (INVALID_EDITABLE_VALUE) and log is printing as errors :: org.springframework.validation.BeanPropertyBindingResult: 0 errors – Prashant Shah Jan 19 '15 at 10:30
Have you included this line in your config? https://github.com/hdiv/hdiv-spring-mvc-showcase/blob/master/src/main/webapp/WEB-INF/SampleMvc-servlet.xml#L16 – gillarramendi Jan 19 '15 at 15:49
Yes now it is going to default error controller defined in hdiv-config, Thanks – Prashant Shah Jan 20 '15 at 09:18

CSRF & XSS not working using HDIV

2 Answers2