0

On our website we have a Search field and a security researcher has advised us that this is open to XSS exploits as visitors could attempt to execute full JavaScript. They sent us a simple example URL which causes a JavaScript alert box to appear on the Search page - the URL parameters are search?submitted=true&action=search&siteId=2.9945&freeText=1";confirm(/XSSPOSED/);a="&sort=publishedDate_descending&slotSearch=true

The security researcher advised that all data should be passed through a function similar to PHP's htmlentities with both ent quotes and UTF8 flags set to prevent exploitation using obfuscation. So I have searched to see if there is a Java equivalent to htmlentities, and I found the escapeHtml() and escapeJavaScript() methods from the StringEscapeUtils class from Apache Commons Lang: https://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringEscapeUtils.html. The escapeHtml() method escapes HTML characters such as < and > but I'm not so sure about JavaScript. The escapeJavaScript method actually seems to escape the characters in a String using JavaScript String rules, rather than stripping out the JavaScript itself.

So, does anyone know of a solution that will 100% stop JavaScript being rendered on the page?

Victoria
  • 901
  • 3
  • 15
  • 30
  • Have a look around, string sanitization has already been discussed a few times. This here probably helps: http://stackoverflow.com/questions/3413297/how-to-sanitize-html-code-in-java-to-prevent-xss-attacks?rq=1 – Slettal Mar 31 '16 at 09:07

1 Answers1

0

If you are using java and want to verify it at back end, you can use this code, here in this example its checking if user is not sending and suspicious value instead of his name.

if (CommonUtility.checkValidate(firstName) || CommonUtility.checkValidate(lastName) ||
 CommonUtility.checkValidate(newUserName)) {
        response
        .sendRedirect(PHConstants.CONTEXT_PATH
            + "/login/registrationError.jsp");
        return;
        }


    public static boolean checkValidate(String name) {
        if (null != name) {
        String patternString = ".*javascript:.*|.*//.*|.*<.*|.*>.*";
        Pattern pattern = Pattern.compile(patternString);
        Matcher matcher = pattern.matcher(name);
        return matcher.matches();
        }
        return false;
    }

we can identify the tempered URL on server side, by adding rules which identifies it. This is done by adding conf file in RuleConf folder

Code sample for your reference:

SecRule REQUEST_LINE "@contains myapp/access/PageServlet?url=/notices/dummyNotifPage.jsp" "chain,phase:2,t:none,status:403,msg:'Generic javascript Injection prevention',severity:2"
SecRule ARGS|QUERY_STRING "(<[^>]*>)" "status:403"
 
SecRule REQUEST_LINE "@contains myapp/access/PageServlet?url=/notices/dummyNotifPage.jsp" "chain,phase:2,t:none,status:403,msg:'Generic javascript Injection prevention',severity:2"
SecRule ARGS|QUERY_STRING "(?i)javascript:" "status:403"
 
SecRule REQUEST_LINE "@contains myapp/access/PageServlet?url=" "chain,phase:2,t:none,status:403,msg:'Check for double slashes in url parameter',severity:2"
SecRule ARGS|QUERY_STRING "/{2}" "status:403"
RishiKesh Pathak
  • 2,122
  • 1
  • 18
  • 24
  • 2
    Please don't do that, there are countless ways to obfuscate xss attacks and trick xss regex filters. Use an established library like OWASPs AntiSamy instead https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project – Slettal Mar 31 '16 at 09:15