Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
MANOVINAYAK AYYAPPAN
XSS Attack Prevention Mechanism
March 12, 2012 8:27 PM
Answer

MANOVINAYAK AYYAPPAN

Rank: Regular Member

Posts: 132

Join Date: June 13, 2011

Recent Posts

Hi All,

I am currently working on building a XSS Attack prevention Mechanism for one of my Liferay Projects.

I have gone through a considerable amount of forum posts and external content on XSS prevention. Below are some of the ones that I have gone through.

1. Escaping Characters
http://www.liferay.com/community/wiki/-/wiki/Main/Escaping
http://www.liferay.com/community/forums/-/message_boards/message/1453941
2. Developing Filters
http://greatwebguy.com/programming/java/simple-cross-site-scripting-xss-servlet-filter/
3. Others
http://www.liferay.com/community/forums/-/message_boards/message/11432281
http://www.liferay.com/web/juan.fernandez/blog/-/blogs/sanitizers-in-liferay-6

I have gone through AntiSamySanitizer implementation in Liferay Portal Systems Development Book and could not find it in the Knowledge Base Portlet Service Implementaion, I believe this is part of Enterprise Edition and NOT of Community Edition.

My project is a normal portal project which is quite straight forward and We are using Liferay 6.0.6 Community Edition.

I am in not clear on how to implement a neat and standard XSS prevention Mechanism.

Please if anyone could share best practises, like right from JSP to the Model Level how we can prevent XSS Attack. Or any Link to any source of Information on XSS Attack prevention in Liferay Portals would be great.

Thanks and Regards,
Mano
Rojalin Patri
RE: XSS Attack Prevention Mechanism
March 13, 2012 12:35 AM
Answer

Rojalin Patri

Rank: Expert

Posts: 287

Join Date: March 22, 2011

Recent Posts

Hi Mano,
i have implemented the XSS Attack prevention Mechanism but in 5.2.3.May be the same will help you out.Though i am not very clear about your requirement.but i could tell you how i have implemented it in my application.
Step 1:
Create an EXT and Create a folder XSS under the path portal-impl/src/com/liferay/portal/servlet/filters/
Steps 2:
Create two java files CrossScriptingFilter.java and RequestWrapper.java in XSS folder.
Steps 3:
Add the following code to CrossScriptingFilter.java file
package com.liferay.portal.servlet.filters.XSS;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class CrossScriptingFilter implements Filter{


private FilterConfig filterConfig=null;

public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}

public void destroy() {
this.filterConfig = null;
}

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {

chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);

}

}
Steps 4:
Add the following code to RequestWrapper.java
package com.liferay.portal.servlet.filters.XSS;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class RequestWrapper extends HttpServletRequestWrapper{
public RequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values==null) {
return null;
}
int count = values.length;
String[] encodedValues = new String;
for (int i = 0; i < count; i++) {
encodedValues = cleanXSS(values);
}
return encodedValues;
}

public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}

public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);

}

private String cleanXSS(String value) {
//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript : ( .* )[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
}
Steps 5:
Do Ant deploy .it will create the bundle which will prevent adding java script to the pages and inserting malicious code into the user profile.
This is what i have done for my requirement.
You can do the same from Source code.place the above folders in portal-impl/src/ and then give ant compile and create the portal-impl.jar.then you can replace the jar in Liferay bundle webapps\ROOT\WEB-INF\lib.But this is not recommended .
Hope this helps...
Regards
Rojalin
Hitoshi Ozawa
RE: XSS Attack Prevention Mechanism
March 13, 2012 6:11 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

If you can upgrade to Liferay 6.1, it may solve your problem without coding.
As you can see from searching "xss" in jira issues, many xss problems were solved in the latest release.
MANOVINAYAK AYYAPPAN
RE: XSS Attack Prevention Mechanism
March 13, 2012 10:39 PM
Answer

MANOVINAYAK AYYAPPAN

Rank: Regular Member

Posts: 132

Join Date: June 13, 2011

Recent Posts

Hi Rojalin,

Thanks a lot emoticon for sharing your knowledge. That was one awesome detailed post which would help many here emoticon.

I had previously tried the approach that you have explained in my 6.0.6 Liferay Project. The only difference is I directly changed the web.xml and packaged the two classes into jar and placed it in the ROOTLIB.

It worked perfectly well, but the Jquery and other AUI Scripts that we had on all the JSP pages did not work and as a result we had to pull of this filter. So none of the legitimate JQuery and JS on each of the JSP worked.
But I noticed that it worked well in my localhost in my Machine, but when I deployed it to clustered environment all the legitimate JS scripts on each of the JSPs stopped working.

I am still researching the best possible approach, that is kind of closely works with the source code of my project, rather than a separate filter.
I am looking into mitigating the XSS Attack in layers (JSP, Portlet Class, Service and ModelImpl) so that effect of an attack is nullified.

Thanks a lot Rojalin, for your time and the well explained and well formatted postemoticon.


Thanks and Regards,
Mano
MANOVINAYAK AYYAPPAN
RE: XSS Attack Prevention Mechanism
March 13, 2012 10:40 PM
Answer

MANOVINAYAK AYYAPPAN

Rank: Regular Member

Posts: 132

Join Date: June 13, 2011

Recent Posts

Hi Hitoshi,

Yes you are absolutely correct emoticon. Even my Manager suggested this to me when I had a talk with him on the XSS issues that we were facing.

Need to quickly upgrade to 6.1.

Thanks,
Mano
Olaf Kock
RE: XSS Attack Prevention Mechanism
March 14, 2012 2:02 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2709

Join Date: September 23, 2008

Recent Posts

While a filter might seem like a good solution to easily get rid of some vulnerabilities, I find it's triggered too early: You can't add webcontent any more, legitimate HTML content will be filtered too early. Also, this will save HTML entities in the database - if you use your data in any other context than web - e.g. reports, email, plaintext or other, you'll need to unescape them then, thus polluting your system all over.

This might be what you're looking for (e.g. rather err on the too-safe side than on the too-error-prone side), but I haven't seen this approach in a way that didn't cause more hassle than benefit. Just be aware on which side of the equation you're on: A filter might generate a lot more follow-up work than a thorough code review.
Hitoshi Ozawa
RE: XSS Attack Prevention Mechanism
March 14, 2012 2:48 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

A new version is suppose to come out soon with more xss vunerabilities fix as well as other bugs in the current GA1.
I think this new version will be like 6.0.6 and will be more of a bug fix rather than additional features.
Jelmer Kuperus
RE: XSS Attack Prevention Mechanism
March 14, 2012 5:37 AM
Answer

Jelmer Kuperus

Rank: Liferay Legend

Posts: 1192

Join Date: March 10, 2010

Recent Posts

Seriously.. filters like this are an antipattern. They're only there to mitigate risk caused by developers that don't know what the hell they are doing.
MANOVINAYAK AYYAPPAN
RE: XSS Attack Prevention Mechanism
March 15, 2012 6:50 AM
Answer

MANOVINAYAK AYYAPPAN

Rank: Regular Member

Posts: 132

Join Date: June 13, 2011

Recent Posts

Thank you Allemoticon for your inputs.

I believe Security aspects should be considered by everyone during development.

And any other measures like Filters would be secondaryemoticon.

Thanks all, I will be working on Security aspects for sometime, if possible I will compile my knowledge and post it here.

Thanks and Regards,
Mano
Ravikant Kadbe
RE: XSS Attack Prevention Mechanism
May 21, 2012 11:14 PM
Answer

Ravikant Kadbe

Rank: New Member

Posts: 9

Join Date: June 15, 2009

Recent Posts

Hi,

I am looking for the solution of somewhat similar issue , did u find anything? Can you please share your findings?

THanks
Manish Yadav
RE: XSS Attack Prevention Mechanism
June 19, 2013 6:11 AM
Answer

Manish Yadav

Rank: Expert

Posts: 390

Join Date: May 26, 2012

Recent Posts

MANOVINAYAK AYYAPPAN:
Thank you Allemoticon for your inputs.

I believe Security aspects should be considered by everyone during development.

And any other measures like Filters would be secondaryemoticon.

Thanks all, I will be working on Security aspects for sometime, if possible I will compile my knowledge and post it here.

Thanks and Regards,
Mano



Hi MANOVINAYAK
Did you got solution of your problem .i'm also facing problem of XSS vulnerability . Could you please suggest me which approach is good to prevent XSS attacks
Olaf Kock
RE: XSS Attack Prevention Mechanism
June 20, 2013 6:23 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2709

Join Date: September 23, 2008

Recent Posts

<shameless-plug>You might find some pointers in Episode 22 of Radio Liferay</shameless-plug>