Friday, January 29, 2016

Fixing xss vulnerabilities in your jaggery based web applications

XSS attacks are quite a common security threat in web applications.  For example, suppose your web application contains a url like below.

http://host:port/app1/addEmployee/id=

An attacker can get his own script executed  from above url, if you have not checked and fixed your xss vulnerabilities. He could perform a malicious script like below.

http://host:port/app1/addEmployee/id=<script>alert(1)</script>

If above url did not contain proper encoding , when accessing above url, the script will be executed against your application.

In a jaggery based application , in order to encode you could easily use owasp java encoder.

In your jag file, first import the encoder like below.

 var Encode = Packages.org.owasp.encoder.Encode;

Next you could use the Encode methods where and when it is related. For example let us take the above url , and let us assume that this url is implemented to be at a button click like below.

 <button type="button" class="btn btn-default" onclick="addUser(<%=Encode.forJavaScript(id)%>)"><%=i18n.localize("submit", "Submit")%></button>

After encoding, this would escape the ending script tag like,  </ \ script> .  Depending on the content you need to encode , you would have to choose the relevant encoding method, such as forHtml, forUriComponent etc.. You could find all the related methods in [1].


[1]  https://github.com/OWASP/owasp-java-encoder/blob/master/core/src/main/java/org/owasp/encoder/Encode.java

No comments:

Post a Comment