Cross Site Scripting Attacks
The attack usually consists of an ill-meaning
user submitting client-side executable scripts
(e.g. JavaScript code) or vicious HTML (or XML)
tags which the JSP server then includes in a dynamically
generated page. The attack may be targeted against
other clients, or less commonly, against the server.
A typical example of a cross site scripting attack
can be seen on some discussion group servers which
allow users to include formatting tags in their
posts. Commonly abused tags are those that allow
embedding of code inside a page, such as <SCRIPT>,
<OBJECT>, <APPLET>,
and <EMBED>. Other tags can also
be dangerous -- in particular, the <FORM>
tag can be used to trick visitors into revealing
sensitive information. A request string containing
malicious tags could look similar to this:
http://server/jsp_script.jsp?poster=evilhacker&
message=<SCRIPT>evil\_code</SCRIPT>
Mitigation of the problem is of course achieved
through input validation and output filtering.
It is very important to do this kind of input
validation on the server side and not using JavaScript
for instance on the client side. There is nothing
to prevent the user from bypassing client-side
validation code.
Here is a sample segment for server-side validation
of embedded tags:
<!-- HTML code up to here -->
<% String message = request.getParameter("message");
message = message.replace ('<','_');
message = message.replace ('>','_');
message = message.replace ('"','_');
message = message.replace ('\'','_');
message = message.replace ('%','_');
message = message.replace (';','_');
message = message.replace ('(','_');
message = message.replace (')','_');
message = message.replace ('&','_');
message = message.replace ('+','_'); %>
<p>
The message is:
<hr/>
<tt><%= message %></tt>
<hr/>
</p>
<!-- more HTML below -->
Since it is difficult to enumerate all meta-characters
in HTML, the safer approach is to do positive
filtering, discarding (or escaping) everything
except the explicitly allowed characters (e.g.
[A-Za-z0-9]).
Page:
1 2
3 4
BACK
|