CertGear - Certification Practice Tests /Exams For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMP Java / Web Application Security - Guidelines For Secure Web Component Development
CertGear Products - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMPCertGear Products - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMPAbout CertGearCertGear Affiliates ProgramCertGear Technical SupportCertGear Product Downloads - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMP
Practice Tests
SCJP Practice Tests
SCWCD Practice Tests
SCBCD Practice Tests
SCDJWS Practice Tests
PHR Certification
PHR / SPHR Certification
PMP Practice Tests GPHR Certification CISSP Tests CISA Tests

Company

 
 Java & Web Application Security  
Cross Site Scripting Attacks

The attack usually consists of an ill-meaning user submitting client-side executable scripts (e.g. JavaScript code) or vicious HTML (or XML) tags which the JSP server then includes in a dynamically generated page. The attack may be targeted against other clients, or less commonly, against the server.

A typical example of a cross site scripting attack can be seen on some discussion group servers which allow users to include formatting tags in their posts. Commonly abused tags are those that allow embedding of code inside a page, such as <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>. Other tags can also be dangerous -- in particular, the <FORM> tag can be used to trick visitors into revealing sensitive information. A request string containing malicious tags could look similar to this:

http://server/jsp_script.jsp?poster=evilhacker&
                      message=<SCRIPT>evil\_code</SCRIPT>

Mitigation of the problem is of course achieved through input validation and output filtering. It is very important to do this kind of input validation on the server side and not using JavaScript for instance on the client side. There is nothing to prevent the user from bypassing client-side validation code.

Here is a sample segment for server-side validation of embedded tags:

<!-- HTML code up to here -->
<% String message = request.getParameter("message");
   message = message.replace ('<','_');
   message = message.replace ('>','_');
   message = message.replace ('"','_');
   message = message.replace ('\'','_');
   message = message.replace ('%','_');
   message = message.replace (';','_');
   message = message.replace ('(','_');
   message = message.replace (')','_');
   message = message.replace ('&','_');
   message = message.replace ('+','_'); %>
<p>
The message is: 
<hr/>
<tt><%= message %></tt>
<hr/>
</p>
<!-- more HTML below -->

Since it is difficult to enumerate all meta-characters in HTML, the safer approach is to do positive filtering, discarding (or escaping) everything except the explicitly allowed characters (e.g. [A-Za-z0-9]).

 

Page: 1 2 3 4 BACK

 



 

  PHR SPHR Certifications :  PHR, SPHR, GPHR   |    PMI Certifications: PMP
Java Certifications :  SCWCD, SCBCD, SCJDWS, SCJP  | Security Certifications: CISSP, CISA