1

I am working on fixing Cross site scripting issues in java.Since i am new to OWASP, could someone please help me to figure out how to use OWASP in below cases to sanitize inputs.

  1. Enumeration<String> EnumHeader = request.getHeaderNames();

  2. Map<String, String[]> pMap = request.getParameterMap();

  3. Object value = request.getHeader(key);

  4. String[] refs = (req.getParameterValues(REFS_NAME));

Improve this question
2

3 Answers 3

Reset to default
1

While data validation can be very helpful in preventing XSS, it doesn't necessarily cover all the bases for persistent XSS. The only 100% effective protection is proper contextual output encoding as offered by the OWASP Java Encoder Project, or OWASP ESAPI's Encoder. One reason for this is for persistent XSS, the tainted data can come from a DB that might be entered or altered by another application that has insert / update access to those same DB tables but which is NOT doing proper data validation. (That is, the tainted data could enter into your system in some other manner than through your application.) So the only foolproof solution is to do proper contextual output encoding. The OWASP XSS Prevention Cheat Sheet that you have already been pointed to is a great place to start that explains all of that.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

How could I prevent XSS issue for java objects
@unknown_11 - You will need to provide more details for us to provide further assistance as XSS defense is very nuanced. Until then, I can only give a generic answer like "use CSP headers and appropriate contextual output encoding". As fgb mentioned earlier though, I would refer you to the OWASP XSS Prevention Cheat Sheet at cheatsheetseries.owasp.org/cheatsheets/… as a place to start.
0

You could use an OS library to sanitize those Strings/Objects.

Example library: https://finn-no.github.io/xss-html-filter/

Then for those collections of headers and parameters you could iterate through them using Java 8 Streams, and map them to new filtered collections (that use the sanitizer library).

Improve this answer

3 Comments

The approach of that library, using regex to replace strings in the html, can produce vulnerable malformed html. The owasp html sanitizer is better. For example, this executes an alert: <a href='&#60;/a&#x3e;&#39;&#60;script&#x3e;alert(1)&#x3c;/script&#x3e;'>123</a><a href='&#60;/a&#x3e;&#39;&#60;script&#x3e;alert(1)&#x3c;/script&#x3e;'>123</a>
Indeed, the HTML filter referenced here has the specific use case that your application has to accept HTML content from users--by default it could make you MORE vulnerable, especially if you're not doing output escaping. As @fgb also points out, the correct way to sanitize HTML is with an HTML parser, NOT regex.
Trying to address XSS vulnerabilities by using an interceptor approach such as a JavaEE Servlet Filter or a Spring Interceptor is bound to fail. It is an anti-pattern. I wrote about this anti-pattern on our ESAPI GitHub wiki. For details, see github.com/ESAPI/esapi-java-legacy/wiki/…. That said, xss-html-filter is a sanitizer rather than an output encoder. It seems more like a naive OWASP HTML Sanitizer or OWASP AntiSamy. YMMV.
0

Cross site scripting can be fixed by encoding the parameter and also by validating the parameter with a customized regex.

For example: Encode.forhtml(inputparam)

There are serveral types of context based encoding using OWASP encoder. if your not sure about encoder or validation pattern, try the below cross site scripting validator to make sure the working(right) fix approach.

XSS validator for java: http://fixforscrossite.us-east-2.elasticbeanstalk.com/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.