0

I have this thing which I'm dealing with right now, XSS.

I need to detect if a string contains XSS or not. In order to solve it I used that link. And this is the code I'm using: 

public static boolean containsXSS(String value) {
    if (StringUtils.isEmpty(value)) {
        return false;
    }
    String stripXss = stripXSS(value);
    return !value.equals(stripXss);
}

public static String stripXSS(String value) {


 if (StringUtils.isBlank(value))
        return value;

    // Use the ESAPI library to avoid encoded attacks.
    Encoder encoder = ESAPI.encoder();
    value = encoder.canonicalize(value);

    // Avoid null characters
    value = value.replaceAll("\0", "");

    // Clean out HTML
    Document.OutputSettings outputSettings = new Document.OutputSettings();
    outputSettings.escapeMode(Entities.EscapeMode.xhtml);
    outputSettings.prettyPrint(false);
    value = Jsoup.clean(value, "", Whitelist.none(), outputSettings);

    return value;
}

Using the code above I do succeed to catch things like: <script>alert('xss')</script>

My problem is that I identify the following string as containing XSS although it's not: {"item" :5}

It's because jsoup.clean turns it into {&quot;item&quot; :5}

I have tried to solve but with no success. It makes me wonder if my algorithm is completely wrong (if so where can I find the algorithm to detect XSS), perhaps I don't need to compare to the original String?

I would very appreciate if you could help me.

thanks

Improve this question
3
  • 4
    You can’t “detect if a string contains XSS”. Escape your output properly and XSS won’t be a problem. Commented Aug 22, 2017 at 18:16
  • Owasp provides sanitizers, use those Commented Aug 22, 2017 at 18:17
  • How do you escape properly? is'nt there a convention? should I use only apache.StringEscapeUtils.escapeHtml ? Commented Aug 22, 2017 at 19:03

1 Answer 1

Reset to default
2

You cannot detect if a string contains XSS. XSS in an output issue, not an input issue. Data benign in one context, can cause malicious behaviour in another.

  1. Validate data using white lists to ensure data is valid in your domain (numbers are numbers, names do not contain unwantef characters etc.). This will stop some but definitely not all attacks.

  2. Contextually encode user provided output as explained in the OWASP XSS prevention cheat sheet

  3. Dont mix client side and server side templates

  4. Be careful when using unsanitized data in javascript (see DOM-based XSS)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project contains information about the sanitizers provided by OWASP plus links to the cheat sheet you named

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.