Cross Site Scripting implementation

Hi All

There was some penetrating tests that was conducted in our existing production java application, and one of the recommendation is to address cross site scripting.

I need inputs from experts on implementing this cross side without the need make changes in every artifact

something like setting up some config file, etc if possible

Regards
SrirampriyaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Meir RivkinFull stack Software EngineerCommented:
i'd start with this link:
http://www.veracode.com/security/xss

the video by Chris Eng describes well what XSS means and ways to prevent it.

The following is taken from XSS Cheat Sheet from their website:
To prevent Cross-site Scripting vulnerabilities, you should URLEncode all user input that is returned as part of URLs. This will convert ?, &, /, <, >, and spaces to their respective URL encoded equals. Additionally, you should HTMLEncode all user input returned as part of HTML. This will also convert special characters into their respective HTML encoded equals. Last but not the least, you should convert all user input to a single character encoding before parsing. This applies to Single/Double Hex Encoding, Unicode Encoding, and UTF-8 Parsing.
In order to avoid Cross-site Scripting vulnerabilities, you can perform the following actions:
1. URLEncode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encoded equals).
2. HTMLEncode all user input returned as part of HTML.
3. Convert all user input to a single character encoding before parsing.

cheers
0
Sathish David Kumar NArchitectCommented:
Use filter concept or interceptor concept .....

when all your request/response goes to filter or interceptor .. then you cant get the form values in the URL.  you can stop Corss Site scripting .
0
Sathish David Kumar NArchitectCommented:
In Filter you can do set encoding or URLEncode.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

SrirampriyaAuthor Commented:
Hi Dravid

could you share some reference or code fragments on this.

also I do not want to change in all my files. can you please explain a bit
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SrirampriyaAuthor Commented:
Need to try
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.