Reputation: 13
Fixing Cross site scripting vulnerability in java using OWASP
I am working on fixing Cross site scripting issues in java.Since i am new to OWASP, could someone please help me to figure out how to use OWASP in below cases to sanitize inputs.
Enumeration<String> EnumHeader = request.getHeaderNames();Map<String, String[]> pMap = request.getParameterMap();Object value = request.getHeader(key);String[] refs = (req.getParameterValues(REFS_NAME));
Upvotes: 1
Views: 23755
Answers (3)
Reputation: 1
Cross site scripting can be fixed by encoding the parameter and also by validating the parameter with a customized regex.
For example: Encode.forhtml(inputparam)
There are serveral types of context based encoding using OWASP encoder. if your not sure about encoder or validation pattern, try the below cross site scripting validator to make sure the working(right) fix approach.
XSS validator for java: http://fixforscrossite.us-east-2.elasticbeanstalk.com/
Upvotes: 0
Reputation: 1462
While data validation can be very helpful in preventing XSS, it doesn't necessarily cover all the bases for persistent XSS. The only 100% effective protection is proper contextual output encoding as offered by the OWASP Java Encoder Project, or OWASP ESAPI's Encoder. One reason for this is for persistent XSS, the tainted data can come from a DB that might be entered or altered by another application that has insert / update access to those same DB tables but which is NOT doing proper data validation. (That is, the tainted data could enter into your system in some other manner than through your application.) So the only foolproof solution is to do proper contextual output encoding. The OWASP XSS Prevention Cheat Sheet that you have already been pointed to is a great place to start that explains all of that.
Upvotes: 1
Reputation: 833
You could use an OS library to sanitize those Strings/Objects.
Example library: https://finn-no.github.io/xss-html-filter/
Then for those collections of headers and parameters you could iterate through them using Java 8 Streams, and map them to new filtered collections (that use the sanitizer library).
Upvotes: 0
Related Questions
- Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)
- Cross-Site-Scripting attack
- prevent XSS attacks In JSPs
- ESAPI for XSS prevention not working
- Cross-Site Scripting: encodeForHTML for HTML content (The OWASP Enterprise Security API)
- Facing issue while resolving cross site scripting issue
- Preventing DOM based XSS using ESAPI
- XSS attack : Alternative to OWASP?
- ESAPI XSS prevention for user supplied url property
- How to implement Java ESAPI for preventing XSS?