Thursday, September 8, 2016

Handling Cross site Scripting

Typically in web application cross site scripting issue is one of the most occurring issues. Cross site scripting vulnerability occurs when hackers are able to execute script code in your application. This can happen due exploiting weakness in the application code.
Like
  1. Trusting data which comes from any of the system.
  2. Lack of data filter for data cleansing before data goes inside the system.
  3. Use of Scriptlet  <%=%> for printing data in JSP without validating the data.
CSS can broadly be categorized in two subsections.
  • If hackers are able to persist their malicious code in application persistence layer (DB), and whenever any application user visits the web page, these malicious code gets executed and hacker will be able to exploit user. This type is persistent and are more dangerous.
         Hacker can add dynamic redirection to some of his malicious site, and capture confidential data. As this redirection happened from the parent site user also will not doubt and can provide their confidential data.
  • Runtime execution of malicious code where Hacker can execute these script code by passing them from UI on the runtime. These are non-persistent types.
Generally if this vulnerability is present in the application, application developer or lead should not target specific fixes where these issues are identified.They need to fix the issue application wide a individual fixes will not make entire application free from CSS. 

Following are the points which needs to be taken care.

The data needs to be sanitized at the entry point only so that application never receives data which is malicious. 

In Java this can be handled by adding Filter which sanitizes all the request which is coming from Web. 
Note: This only sanitizes the data which is coming from Web, if you have different source of data like Feed file, Materialized views, direct DB updates, reading data from Webservice calls. They need to be also taken care of. These are out of scope for this blog.

Creating filter, The main purpose of this filter class is to encode/escape the value which has tags in it. Plain string and other value will be kept as is. By escaping these characters will make them dumb and browser will not execute them as script tags or predefined html tags.

 first step is to Create a Request Wrapper class which is responsible for encoding the values. This class will extend "javax.servlet.http.HttpServletRequestWrapper" class which provides method such as "getParemeter", "getParemeterValues", in these methods only escaping logic needs to be added.

Below is the sample code

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.StringEscapeUtils;

public class XssReqWrapper extends HttpServletRequestWrapper {

 public XssReqWrapper(HttpServletRequest request) {
  super(request);
 }

 @Override
 public String getParameter(String name) {
  if (name != null) {
   String values = super.getParameter(name);
   String newValues = StringEscapeUtils.escapeHtml(values);
   return newValues;
  }
  return super.getParameter(name);
 }

 @Override
 public String[] getParameterValues(String name) {
  if (name != null) {
   String[] values = super.getParameterValues(name);
   if (values != null) {
    String[] encodedValues = new String[values.length];
    for (int i = 0; i < values.length; ++i) {
     encodedValues[i] = StringEscapeUtils.escapeHtml(values[i]);
    }
    return encodedValues;
   }
  }
  return null;
 }
}
Here i am using class from "org.apache.commons.lang.StringEscapeUtils" to escape the characters. For this you need add "commons-lang-2.6.jar" file.
Create a Filter Class which implements "javax.servlet.Filter", and override the methods doFilter, destroy, init. In this example I will using only doFilter method, as that is the method which will have escaping logic for tags. Below is the sample code
import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {
 @Override
 public void destroy() {
  //left intentionally empty
 }

 @Override
 public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
   throws IOException, ServletException {
  HttpServletRequest httpReq=(HttpServletRequest) req;
  chain.doFilter(new XssReqWrapper(httpReq), res);
 }

 @Override
 public void init(FilterConfig config) throws ServletException {
  //left intentionally empty
 }
}
Once above classes are created, Open Web.xml file. and add following line of code. This will enable the filter in the web application. And for each and every request this filter will be called.
<filter>
 <filter-name>xssFilter</filter-name>
 <filter-class>com.xss.sample.XssFilter</filter-class>
</filter>
<filter-mapping>
 <filter-name>xssFilter</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>
Below is demo where i will show behavior of application without filter and with filter.

Application without XssFilter.

Below is login page where i will submit page with "<script> alert('Hello')</script>" as a user name.



Once this page is submitted to server it does simple forward to another page where i am printing the user name. See below what happens. Here browser interprets the script tag as a valid tags and executed it while loading the page. This is where hackers can redirect user to some malicious page and capture some information from them.

Also see the console output of the value.

    

Application with XssFilter.


I will pass exact same value as shown in the above login page. But in the subsequent page, now browser does not show any alert. It treats it as normal value and display it in the UI.





Also see the changes which filter makes with the submitted value. Check console logs.



Here Filter class encodes the "<" and ">" values to "&lt;" and "&gt;", which browser treats as normal string and display the value.

That is all from Cross Site scripting, i will cover some other Security Vulnerabilities in upcoming post.

No comments:

Post a Comment

Components of Big Data - Hadoop System

In this blog i will explain important components which are part of Hadoop System. I will give very brief overview of these components. Be...