OWASP exposure - XSS
What is OWASP?
Open Web Application Security Project is a non-profit organisation founded in the US to analyse, document and share information pertaining to the most common and severe vulnerabilities in today's web applications. Their goal is to educate us - should we fail to do it ourselves - on the security weaknesses that we emply unknowingly in our applications, how to identify them, and how to prevent them. Put simply, they're a bunch of nights in shining armor helping us write more secure web applications.
Their mission, as they state it, is:
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
Each year, OWASP publish a list of the web's top 10 vulnerablities that are found across the globe in an effort to educate and strengthen the applications made available to us all.
It's our job as programmers to take heed of the advice and understand what we're doing wrong and to improve on it.
Top 10 – XSS
Cross-site scripting – or XSS – is a vulnerability that has widespread prevalence. According to the OWASP it's the most common security found on websites today, and this has earned it the number 2 spot on their list.
As defined by the OWASP, XSS is:
XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS
XSS attacks happen usually because some input – innocent or otherwise – is blindly trusted and handed about an application without concern. The golden rule or never trusting input is violated and an attacker can wreak havoc.
As OWASP defines it, there are three types of XSS vulnerabilities: stored, reflected and DOM.
I'd argue that these are the worst of the three because the attack is persistent. Let's say you have a page content form that takes amongst other items a page title. These are stored in the database directly without validation and upon successful storage the information is presented back to the user via a 'preview' page. In your JSP you do the following (assume pageBean is the model behind your form and represents values that were stored in your DB):
To alleviate the issue above, you'd only have to use a JSTL c:out tag to output the page bean's title. By default the core out tag escapes XML so you don't have to worry.
DOM based XSS
Document Object Model – DOM – based attacks are slightly more complex then stored or reflected. These occur for example when client-side code is built using trusted values. If written incorrectly, the code acts or is structured upon certain expectations of input and that input is what can be leveraged to inject foreign code into the DOM. See the OWASP page on DOM XSS for a more comprehensive introduction.
Much of what you see from OWASP could be avoided by simple understanding of your input and by never trusting it! Don't blindly write input back to your users, and certainly don't store it without encoding it or sanitising it before use in dynamic code (and even then, sanitation code could be poorly implemented and give you a false sense of security.
I hope this has enlightened you or at least refreshed your memory on yet another critical aspect of development. Next week I'll cover authentication!