DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report

Securing Your JSF Pages Against XSS

Ed Lee user avatar by
Ed Lee
·
Mar. 22, 10 · Interview
Like (1)
Save
Tweet
Share
27.45K Views

Join the DZone community and get the full member experience.

Join For Free

Cross site scripting (XSS) is a security vulnerability found in websites where malicious attackers inject malicious javascripts to steal information from users accessing the websites. This type of attack usually take advantage of defects in websites that have minimum checking on user inputs hence allow attackers to put malicious code onto the websites. There are a few types of attacks

1. Non-persistent, where attackers put malicious code in the request, resulting in the destination page executing the code. Even though this seems harmless (because it seems like the attackers can only attack the page he is viewing himself), however, attackers can put the malicious code inside a hidden frame on his/her own websites and once the user visits the website, the malicious code is executed without user knowing, and therefore steal visitors information. For example, I could have hide the code of this link inside a hidden frame and submit the cookie back into my server.

2. Persistent Very similiar technique are applied here, but this impact is much more wide spread and serious. This is because attackers are able to embed malicious code into the content of a prominent website. Websites that allows people to post HTML contents usually suffer from this vulnerability.

Protect your site against XSS

Obviously the best defense to XSS is to make sure that you always validate inputs from browser. Here I will share a few tips with JSF/Java developers on some of the defense techniques available.

Escape output text

<h:outputText/> and <h:outputLabel/> by default has the escape attribute set to True. By using this tag to display outputs, you are able to mitigate majority of the XSS vulnerability.

SeamTextParser and <s:formattedText/>

If you would like to allow users to utilise some of the basic html tags to customise their inputs, JBoss Seam provides a <s:formattedText/> tag that allows some basic html tags and styles specified by users. Please refer to the Seam Reference Manual for details on the syntax. You can also customise SeamTextParse to add additional supported syntax. The <s:formattedText/> tag uses this class to validate and escape user's inputs by default.

Protect your site's cookies

Java web application doesn't make heavy uses of cookies, however, jsessionid is the cookie that mostjava web application must have in order for the application server to keep track of user sessions. To protect cookies against malicious javascript, most modern browsers support the feature to allow application to specify whether a specific cookie can be accessed by javascript or should be for http only. Below is a list of browsers and the support for http-only setting:

Browser Version No Reads No Writes Read in XMLHttpResponse
IE 6 sp1 yes no no
IE 7 yes yes partially
IE 8 beta 2 yes yes partially
Firefox 3 yes yes yes
Safari 3 no no no
Chrome Beta yes no no

 (Source: OWASP)

Some application servers also allow http-only jsessionid cookie configuration as well, here is a list of supported servers and their versions.

Application Server Version HttpOnly jsessionid
Tomcat 6 No, but can use apache with mod_header Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Tomcat 5 No, but can use apache with mod_header
JBoss EAP 5 <Context cookies="true" crossContext="true" useHttpOnly="true">
JBoss EAP 4.3 No, but can use apache with mod_header
Weblogic 10.3 No, but can use apache with mod_header
Weblogic 9 <wls:session-descriptor> <wls:cookie-http-only>true</wls:cookie-http-only> </wls:session-descriptor>
Jetty   No

Defending against malicious attackers is not an easy tasks. However, most of the attacks can be mitigated by employing simple principles during application development, such as escaping user inputs. Raising the awareness of security, provide training, and setting common practices are the most effective way to protect your websites.

From KoLe Enterprise Consulting blog

Web application

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Test Execution Tutorial: A Comprehensive Guide With Examples and Best Practices
  • Best Navicat Alternative for Windows
  • 10 Things to Know When Using SHACL With GraphDB
  • Host Hack Attempt Detection Using ELK

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: