Solved

Cross Site Scripting implementation

Posted on 2012-03-14
7
626 Views
Last Modified: 2012-03-16
Hi All

There was some penetrating tests that was conducted in our existing production java application, and one of the recommendation is to address cross site scripting.

I need inputs from experts on implementing this cross side without the need make changes in every artifact

something like setting up some config file, etc if possible

Regards
0
Comment
Question by:Srirampriya
  • 3
  • 2
  • 2
7 Comments
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 350 total points
Comment Utility
i'd start with this link:
http://www.veracode.com/security/xss

the video by Chris Eng describes well what XSS means and ways to prevent it.

The following is taken from XSS Cheat Sheet from their website:
To prevent Cross-site Scripting vulnerabilities, you should URLEncode all user input that is returned as part of URLs. This will convert ?, &, /, <, >, and spaces to their respective URL encoded equals. Additionally, you should HTMLEncode all user input returned as part of HTML. This will also convert special characters into their respective HTML encoded equals. Last but not the least, you should convert all user input to a single character encoding before parsing. This applies to Single/Double Hex Encoding, Unicode Encoding, and UTF-8 Parsing.
In order to avoid Cross-site Scripting vulnerabilities, you can perform the following actions:
1. URLEncode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encoded equals).
2. HTMLEncode all user input returned as part of HTML.
3. Convert all user input to a single character encoding before parsing.

cheers
0
 
LVL 20

Expert Comment

by:Sathish David Kumar N
Comment Utility
Use filter concept or interceptor concept .....

when all your request/response goes to filter or interceptor .. then you cant get the form values in the URL.  you can stop Corss Site scripting .
0
 
LVL 20

Expert Comment

by:Sathish David Kumar N
Comment Utility
In Filter you can do set encoding or URLEncode.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Srirampriya
Comment Utility
Hi Dravid

could you share some reference or code fragments on this.

also I do not want to change in all my files. can you please explain a bit
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 350 total points
Comment Utility
0
 
LVL 20

Accepted Solution

by:
Sathish David  Kumar N earned 150 total points
Comment Utility
0
 

Author Closing Comment

by:Srirampriya
Comment Utility
Need to try
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
The viewer will learn how to implement Singleton Design Pattern in Java.
This video teaches viewers about errors in exception handling.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now