Solved

Cross Site Scripting implementation

Posted on 2012-03-14
7
681 Views
Last Modified: 2012-03-16
Hi All

There was some penetrating tests that was conducted in our existing production java application, and one of the recommendation is to address cross site scripting.

I need inputs from experts on implementing this cross side without the need make changes in every artifact

something like setting up some config file, etc if possible

Regards
0
Comment
Question by:Srirampriya
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 350 total points
ID: 37723661
i'd start with this link:
http://www.veracode.com/security/xss

the video by Chris Eng describes well what XSS means and ways to prevent it.

The following is taken from XSS Cheat Sheet from their website:
To prevent Cross-site Scripting vulnerabilities, you should URLEncode all user input that is returned as part of URLs. This will convert ?, &, /, <, >, and spaces to their respective URL encoded equals. Additionally, you should HTMLEncode all user input returned as part of HTML. This will also convert special characters into their respective HTML encoded equals. Last but not the least, you should convert all user input to a single character encoding before parsing. This applies to Single/Double Hex Encoding, Unicode Encoding, and UTF-8 Parsing.
In order to avoid Cross-site Scripting vulnerabilities, you can perform the following actions:
1. URLEncode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encoded equals).
2. HTMLEncode all user input returned as part of HTML.
3. Convert all user input to a single character encoding before parsing.

cheers
0
 
LVL 20

Expert Comment

by:Sathish David Kumar N
ID: 37723852
Use filter concept or interceptor concept .....

when all your request/response goes to filter or interceptor .. then you cant get the form values in the URL.  you can stop Corss Site scripting .
0
 
LVL 20

Expert Comment

by:Sathish David Kumar N
ID: 37723900
In Filter you can do set encoding or URLEncode.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:Srirampriya
ID: 37725570
Hi Dravid

could you share some reference or code fragments on this.

also I do not want to change in all my files. can you please explain a bit
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 350 total points
ID: 37725649
0
 
LVL 20

Accepted Solution

by:
Sathish David  Kumar N earned 150 total points
ID: 37726263
0
 

Author Closing Comment

by:Srirampriya
ID: 37728311
Need to try
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn different types of Android Layout and some basics of an Android App.
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question