Reputation: 491
How to detect XSS in Java using OWASP
I have this thing which I'm dealing with right now, XSS.
I need to detect if a string contains XSS or not. In order to solve it I used that link. And this is the code I'm using:
public static boolean containsXSS(String value) {
if (StringUtils.isEmpty(value)) {
return false;
}
String stripXss = stripXSS(value);
return !value.equals(stripXss);
}
public static String stripXSS(String value) {
if (StringUtils.isBlank(value))
return value;
// Use the ESAPI library to avoid encoded attacks.
Encoder encoder = ESAPI.encoder();
value = encoder.canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Clean out HTML
Document.OutputSettings outputSettings = new Document.OutputSettings();
outputSettings.escapeMode(Entities.EscapeMode.xhtml);
outputSettings.prettyPrint(false);
value = Jsoup.clean(value, "", Whitelist.none(), outputSettings);
return value;
}
Using the code above I do succeed to catch things like: <script>alert('xss')</script>
My problem is that I identify the following string as containing XSS although it's not: {"item" :5}
It's because jsoup.clean turns it into {"item" :5}
I have tried to solve but with no success. It makes me wonder if my algorithm is completely wrong (if so where can I find the algorithm to detect XSS), perhaps I don't need to compare to the original String?
I would very appreciate if you could help me.
thanks
Upvotes: 0
Views: 4673
Answers (1)
Reputation: 4416
You cannot detect if a string contains XSS. XSS in an output issue, not an input issue. Data benign in one context, can cause malicious behaviour in another.
Validate data using white lists to ensure data is valid in your domain (numbers are numbers, names do not contain unwantef characters etc.). This will stop some but definitely not all attacks.
Contextually encode user provided output as explained in the OWASP XSS prevention cheat sheet
Dont mix client side and server side templates
Be careful when using unsanitized data in javascript (see DOM-based XSS)
Upvotes: 2
Related Questions
- OWASP sanitizer generates unexpected results
- How to allow specific characters with OWASP HTML Sanitizer?
- Fixing Cross site scripting vulnerability in java using OWASP
- How to report if input is sanitized with OWASP Java HTML Sanitizer
- Creating Whitelist to safeguard from XSS vulnerabilities in Java based application
- XSS - OWASP HTML Sanitizer Filters <form>
- how to fix XSS Reflected in java
- XSS attack : Alternative to OWASP?
- How to implement Java ESAPI for preventing XSS?
- Xss sanitization in java