Hey Olaf,
Thanks for the humble suggestion
Can you please elaborate your concern?
Is your concern suggest to override any response methods as same as I did for request side or something else?
This is because I know how to escape but I didn't get where to escape.
Regards
Thanks for the humble suggestion
You should escape on the response side, not on the request side
Can you please elaborate your concern?
Is your concern suggest to override any response methods as same as I did for request side or something else?
This is because I know how to escape but I didn't get where to escape.
Regards
Dushyant Tusharkant Dave:
Hey Olaf,
Thanks for the humble suggestionYou should escape on the response side, not on the request side
Can you please elaborate your concern?
Is your concern suggest to override any response methods as same as I did for request side or something else?
This is because I know how to escape but I didn't get where to escape.
Regards
When you want to display or render the content to somewhere in your user interface. Just before you do that rendering you can do an HTMLescape.
If you don't want to include that kind of Java code into your JSP, you can escape the data in your render method or before the render method.
Only thing we want to keep the exact user data in the persistence. It will be helpful for some future data analysis.
Thanks,
R S
Hi Arun,
Thanks for your suggestion
As per your suggest, it requires so much effort. I'm at the stage when we are planning to release & I believe this will not make it.
There should be a generic solution intended to accomplish all the requirement, e.g., a filter configuration incorporation. If you can suggest something like that, please do share your opinion.
Regards
Thanks for your suggestion
As per your suggest, it requires so much effort. I'm at the stage when we are planning to release & I believe this will not make it.
There should be a generic solution intended to accomplish all the requirement, e.g., a filter configuration incorporation. If you can suggest something like that, please do share your opinion.
Regards
Dushyant Tusharkant Dave:
Hi Arun,
Thanks for your suggestion
As per your suggest, it requires so much effort. I'm at the stage when we are planning to release & I believe this will not make it.
There should be a generic solution intended to accomplish all the requirement, e.g., a filter configuration incorporation. If you can suggest something like that, please do share your opinion.
Regards
I didn't get
Dushyant Tusharkant Dave:
There should be a generic solution intended to accomplish all the requirement, e.g., a filter configuration incorporation.
Don't you feel escaping data is not a generic solution for the problem?
What I understand from your point is that, you have some sort of specif system design and you are already ready with your application. But you may need to put a lot of effort to change your code to escape the HTML chars.
If that is the case, you may proceed with the implementation which is already done. From the previous post I understand that you had done the html escape when you get data from the request. If you don't want to use the user submitted data for any future analysis, this will be fine, but not the best practice.
Brijesh Desai:
Thanks Samuel / Olaf for the reply.
Here challenge for me is we have many form parameters and multiple forms as well.
Using HtmlUtil.escape I believe is not good practice to do go ahead.
What do you suggest on using filter for this ?
regards,
Brijesh
As Olaf mentioned, this is a Best practice, when you store the original data and while providing your response, just escape the data. This way you can use the orginal data, from the database for any future analysis. You can read more about handling XSS using Java on Owasp. https://www.owasp.org/index.php/Category
WASP_Java_ProjectThanks,
Arun
Hi Brijesh,
I got the solution how to prevent this XSS Attack.
I created one filter hook & in that doFilter() method, I'm iterating all the request-parameter-map-values & escaping it using HtmlUtil.escape().
By comparing request-parameter-map-values old value with the new escaped value, I implemented the logic what to do if any XSS Attack.
This is how I made the configuration:
This code will make a logout and do homepage redirect if XSS Attack is there.
Regards.
I got the solution how to prevent this XSS Attack.
I created one filter hook & in that doFilter() method, I'm iterating all the request-parameter-map-values & escaping it using HtmlUtil.escape().
By comparing request-parameter-map-values old value with the new escaped value, I implemented the logic what to do if any XSS Attack.
This is how I made the configuration:
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
@SuppressWarnings("unchecked")
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
Map<String, String[]> paramMap = servletRequest.getParameterMap();
Set<Entry<String, String[]>> paramMapSet = paramMap.entrySet();
String[] values;
boolean xssAttack = false;
for (Entry<String, String[]> entry : paramMapSet) {
values = (String[])entry.getValue();
for(String value : values){
String xssPreventedValue = value;
xssPreventedValue= HtmlUtil.escape(xssPreventedValue);
if(!value.equals(xssPreventedValue)){
xssAttack = true;
}
}
}
if(xssAttack){
_log.error(xssAttackLog);
HttpSession session =((HttpServletRequest)servletRequest).getSession();
if (session != null)
session.invalidate();
response.sendRedirect(homepageURL);
_log.info(sessionInvalidated);
} else{
filterChain.doFilter(servletRequest, response);
}
}
private static final String xssAttackLog = "Cause of XSS Attack. User is trying to malicious data which is prohibited.";
private static final String sessionInvalidated = "Session invalidated";
private static final String homepageURL = "/web/guest/home";
This code will make a logout and do homepage redirect if XSS Attack is there.
Regards.
