XSS Countermeasures
================================================================================
.. only:: html
.. contents:: Table of Contents
:local:
Overview
--------------------------------------------------------------------------------
| Cross Site Scripting (below abbreviated as XSS) is injection of malicious scripts across trusted web sites
| used deliberately making use of the security defects in the web application.
| For example, when data entered in Web Application (form input etc.) is output in HTML without appropriate escaping,
| the characters of tag existing in input value are interpreted as HTML as is.
| If a script with malicious value is run, attacks such as session hijack occur
| due to cookie tampering and fetching of cookie values.
Stored & Reflected XSS Attacks
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
XSS attacks are broadly classified into two categories.
**Stored XSS Attacks**
| In Stored XSS Attacks, the malicious code is permanently stored on target servers (such as database).
| Upon requesting the stored information, the user retrieves the malicious script from the server and ends up running the same.
**Reflected XSS Attacks**
| In Reflected attacks, the malicious code sent as a part of the request to the server is
| reflected back along with error messages, search results, or other different types of responses.
| When a user clicks the malicious link or submits a specially crafted form,
| the injected code returns a result reflecting an occurrence of attack on user's browser.
| The browser ends up executing the code because the value came from a trusted server.
Both Stored XSS Attacks and Reflected XSS Attacks can be prevented by escaping output value.
|
How to use
--------------------------------------------------------------------------------
| When the input from user is output as is, the system gets exposed to XSS vulnerability.
| Therefore, as a countermeasure against XSS vulnerability, it is necessary to escape the characters which have specific meaning in the HTML markup language.
Escaping should be divided into 3 types if needed.
Escaping types:
* Output Escaping
* JavaScript Escaping
* Event handler Escaping
.. _xss_how_to_use_ouput_escaping:
Output Escaping
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| Escaping HTML special characters is a fundamental countermeasure against XSS vulnerability.
| Example of HTML special characters that require escaping and example after escaping these characters are as follows:
.. tabularcolumns:: |p{0.50\linewidth}|p{0.50\linewidth}|
.. list-table::
:header-rows: 1
:widths: 50 50
* - Before escaping
- After escaping
* - ``&``
- ``&``
* - ``<``
- ``<``
* - ``>``
- ``>``
* - ``"``
- ``"``
* - ``'``
- ``'``
| To prevent XSS, \ ``f:h()``\ should be used in all display items that are to be output as strings.
| An example of application where input value is to be re-output on different screen is given below.
Example of vulnerability when output values are not escaped
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
| This example below is given only for reference; it should never be implemented.
**Implementation of output screen**
.. code-block:: jsp
Job
${customerForm.job}
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | Job, which is a customerForm field, is output without escaping.
| Enter
.. tabularcolumns:: |p{0.20\linewidth}|p{0.80\linewidth}|
.. list-table::
:header-rows: 1
:widths: 20 80
* - Attribute name
- Value
* - warnCode
- ``<\/script>``
| As shown in the above example, in order to dynamically generate JavaScript elements
| such as generating the code based on the user input, string literal gets terminated unintentionally leading to XSS vulnerability.
.. figure:: ./images/javascript_xss_screen_no_escape_result.png
:alt: javascript_xss_screen_no_escape_result
:width: 30%
:align: center
**Picture - No Escape Result**
**Output result**
.. code-block:: html
\
.. tip::
Dynamically generated javascript code depending on user input carries a risk of any script being inserted; hence an alternate
way should be considered or it should be avoided as much as possible unless there is a specific business requirement.
.. _xss_how_to_use_js_function_example:
Example of escaping output value using f:js() function
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
| To prevent XSS, it is recommended that you use EL function \ ``f:js()``\ for the value entered by user.
Usage example is shown below.
.. code-block:: html
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | By using \ ``f:js()``\ of EL function, the value is set as variable after escaping the value entered by user.
**Output result**
.. code-block:: html
.. _xss_how_to_use_event_handler_escaping:
Event handler Escaping
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| To escape the value of event handler of javascript, \ ``f:hjs()``\ should be used
| instead of \ ``f:h()``\ or \ ``f:js()``\. It is equivalent to \ ``${f:h(f:js())}``\ .
| This is because, when \ ``"');alert("XSS Attack");// "``\ is specified as event handler value
| such as \ ````\ , different script gets inserted,
| After escaping the value in character reference format, escaping in HTML needs to be done.
Example of vulnerability when output values are not escaped
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
| Example of occurrence of XSS problem is given below.
.. code-block:: jsp
.. tabularcolumns:: |p{0.20\linewidth}|p{0.80\linewidth}|
.. list-table::
:header-rows: 1
:widths: 20 80
* - Attribute name
- Value
* - warnCode
- | ``'); alert('XSS Attack!'); //``
| When the above values are set, string literal is terminated unintentionally leading to XSS attack.
| XSS dialog box is displayed on mouse over.
.. figure:: ./images/eventhandler_xss_screen_no_escape_result.png
:alt: eventhandler_xss_screen_no_escape_result
:width: 50%
:align: center
**Picture - No Escape Result**
**Output result**
.. code-block:: jsp
.. _xss_how_to_use_hjs_function_example:
Example of escaping output value using f:hjs() function
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Example is shown below:
.. code-block:: jsp
// (1)
.. tabularcolumns:: |p{0.10\linewidth}|p{0.90\linewidth}|
.. list-table::
:header-rows: 1
:widths: 10 90
* - Sr. No.
- Description
* - | (1)
- | Value after escaping by EL function \ ``f:hjs()``\ is set as an argument of javascript event handler.
| XSS dialog is not output on mouse over.
.. figure:: ./images/eventhandler_xss_screen_escape_result.png
:alt: eventhandler_xss_screen_escape_result
:width: 50%
:align: center
**Picture - Escape Result**
**Output result**
.. code-block:: jsp
.. raw:: latex
\newpage