Share Point
asked on
How to fix the Cross-Site Scripting (XSS) issue of penetration testing?
Hi All,
We have java web application where we have some external web service. We are planning to migrate to cloud so cyber security scan the code and provided pen test results. We have more than 600 error regarding Cross-Site-Scripting (XSS). I would like to have your help for the solution. I am attaching the comment and the few line of codes where they have problem.
Below are the comment from the result.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Description This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
Recommendations Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. When a web framework provides builtin support for automatic XSS escaping, do not disable it. Both the OWASP Java Encoder library for Java and the Microsoft AntiXSS library provide contextual escaping methods.
Code
Let me know if you need more information.
Thank you for your Help.
We have java web application where we have some external web service. We are planning to migrate to cloud so cyber security scan the code and provided pen test results. We have more than 600 error regarding Cross-Site-Scripting (XSS). I would like to have your help for the solution. I am attaching the comment and the few line of codes where they have problem.
Below are the comment from the result.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Description This call contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis.
Recommendations Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. When a web framework provides builtin support for automatic XSS escaping, do not disable it. Both the OWASP Java Encoder library for Java and the Microsoft AntiXSS library provide contextual escaping methods.
Code
<td>
p_session (Session Id) : <input type="text" name="p_session" size="50" maxlength="50" value='<%=p_session %>'>
<br>
p_part_nr (Number) : <input type="text" name="p_nr" size="20" maxlength="20" value='<%=p_part_nr %>'>
p_ctry_cd (Code) : <input type="text" name="p_cd" size="4" maxlength="4" value='<%=p_ctry_cd %>'>
Let me know if you need more information.
Thank you for your Help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
those are the inbuilt function or we need to create those functions?You would need to create the functions to cover the XSS attacks
some good read
Cross Site Scripting Prevention Cheat Sheet
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.htmlCross-site Scripting (XSS)
https://www.acunetix.com/websitesecurity/cross-site-scripting/Cross-site scripting
https://portswigger.net/web-security/cross-site-scripting
XSS is an attack where the browser's trust on the server is being exploited. It means the browser accepts the input without validating and pass on the sensitive data (like cookies) to attacker knowing it was requested by legitimate server.On the other hand, the CSRF attack is where the server's trust is being exploited. The server accepts the request without validation and execute.
XSS - browser gets betrayed.
CSRF - server gets betrayed.
In the end, it's all about trust issues. Make sure you have filter every user input and output as proper encoding. Read the full testing guide OWASP. Use web application firewalls (WAF).
Reduce XSS:
https://www.experts-exchange.com/questions/29173911/vendor's-response-on-handling-OWASP-needs-validation.html
https://owasp.org/www-community/attacks/xss/
XSS - browser gets betrayed.
CSRF - server gets betrayed.
In the end, it's all about trust issues. Make sure you have filter every user input and output as proper encoding. Read the full testing guide OWASP. Use web application firewalls (WAF).
Reduce XSS:
- Avoids passing untrusted data
- Validates all user input on the server side and client side
- Escapes data on output
- Sanitizes HTML content
- Sets a Content-Security Policy (CSP) in HTTP headers
- Writing secure code
https://www.experts-exchange.com/questions/29173911/vendor's-response-on-handling-OWASP-needs-validation.html
https://owasp.org/www-community/attacks/xss/
ASKER
Thank You all for the comment. All thread will help us.
Thank You
Thank You
ASKER
those are the inbuilt function or we need to create those functions?
Thank You