XSS Countermeasures ================================================================================ .. only:: html .. contents:: Table of Contents :local: .. _SpringSecurityXSS: Overview -------------------------------------------------------------------------------- It explains about Cross-site scripting (hereinafter abbreviated as XSS). Cross Site Scripting is injection of malicious scripts across trusted web sites by deliberately using security defects in the web application. For example, when data entered in Web Application (form input etc.) is output in HTML without appropriate escaping, the characters of tag existing in input value are interpreted as HTML as is. If a script with malicious value is run, attacks such as session hijack occur due to cookie tampering and fetching of cookie values. Stored & Reflected XSS Attacks ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ XSS attacks are broadly classified into two categories. **Stored XSS Attacks** In Stored XSS Attacks, the malicious code is permanently stored on target servers (such as database). Upon requesting the stored information, the user retrieves the malicious script from the server and ends up running the same. **Reflected XSS Attacks** In Reflected attacks, the malicious code sent as a part of the request to the server is reflected back along with error messages, search results, or other different types of responses. When a user clicks the malicious link or submits a specially crafted form, the injected code returns a result reflecting an occurrence of attack on user's browser. The browser ends up executing the malicious code because the value came from a trusted server. Both Stored XSS Attacks and Reflected XSS Attacks can be prevented by escaping output value. How to use -------------------------------------------------------------------------------- When the input from user is output as is, the system gets exposed to XSS vulnerability. Therefore, as a countermeasure against XSS vulnerability, it is necessary to escape the characters which have specific meaning in the HTML markup language. Escaping should be divided into 3 types if needed. Escaping types: * Output Escaping * JavaScript Escaping * Event handler Escaping .. _xss_how_to_use_ouput_escaping: Output Escaping ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Escaping HTML special characters is a fundamental countermeasure against XSS vulnerability. Example of special characters that require escaping in HTML and example after escaping these characters are as follows: .. tabularcolumns:: |p{0.50\linewidth}|p{0.50\linewidth}| .. list-table:: :header-rows: 1 :widths: 50 50 * - | Before escaping - | After escaping * - | "``&``" - | ``&`` * - | "``<``" - | ``<`` * - | "``>``" - | ``>`` * - | "\ ``"``\" - | ``"`` * - | "``'``" - | ``'`` To prevent XSS, \ ``f:h()``\ should be used in all display items that are to be output as strings. An example of application where input value is to be re-output on different screen is given below. Example of vulnerability when output values are not escaped """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" This example below is given only for reference; it should never be implemented. **Implementation of output screen** .. code-block:: jsp