Beruflich Dokumente
Kultur Dokumente
responses
Uncover the basics of cross-site scripting attacks and learn how you can prevent them using a
Java™-based approach to encode HTML output from a server.
Note: Refer to the tutorial, "Protect your apps from cross-site scripting (XSS) attacks" to use the
developer sandbox. The code snippet in that tutorial shows you how to use escape sequences so
that any injected code can't run.
Companies move applications to the web to improve customer interactions, lower business
processing costs, and speed outcomes. But doing so also increases vulnerabilities—unless
security is an integral component of the application development process. To learn more
about creating a culture of security in your organization, download and read "Secure Web
Applications: Creating a Security Culture."
In a cross-site scripting (XSS) attack, the attacker injects malicious code into a legitimate web
page that then runs malicious client-side script. When a user visits the infected web page, the
script is downloaded to, and run from, the user's browser. There are many variations to this
scheme. The malicious script could access browser cookies, session tokens, or other sensitive
information retained by the browser. However, all XSS attacks follow the pattern shown in Figure 1.
XSS vulnerabilities
In a typical XSS attack, the attacker finds a way to insert a string into a server's
web page. Suppose the attacker injects the following string into the web page:
<script>alert("attacked")</script> . Every time an end user visits this page, their browser will
download this script and run it as part of rendering the page. In this case, the script will run and the
user sees an alert pop up that says "attacked."
Impact of XSS
When attackers successfully exploit XSS vulnerabilities in a web application, they can insert script
that gives them access to end users' account credentials. Attackers can perform a variety of
malicious activities, such as:
• Hijack an account
• Spread web worms
• Access browser history and clipboard contents
• Control the browser remotely
• Scan and exploit intranet appliances and applications
Table 1 shows the entity name for some common HTML characters.
When a web browser encounters the entities, they will be converted back to HTML and printed
but they will not be run. For example, if an attacker injects <script>alert("you are attacked")</
script> into a variable field of a server's web page, the server will, using this strategy, return
<script>alert("you are attacked")</script>.
When the web browser downloads the encoded script, it will convert the encoded script back to
<script>alert("you are attacked")</script> and display the script as part of the web page but
the browser will not run the script.
In the Java example in Listing 1, for the HTML encoding the input is String "<script>alert(\"abc
\")</script>". Use the following steps.
1. Create a hashmap of all HTML entities and their decimal values. The example shows only
three entries. You need to map all HTML entities with their decimal values in this map. Table
2 shows some of the commonly used entities and their decimal values. For a complete
reference of all character entities, see the HTML Entities Reference in Resources.
2. Create a StringWriter of buffer 1.5 times the size of the input string length.
3. Pass both this writer and input string to the escape method, which picks up each character of
the string one by one and gets the integer value of the character.
4. Pass the integer value to the map you created in step 1, fetch the entity name, and write this
value on the writer.
Every character of the string will be converted into its entity name.
38 & Ampersand
Conclusion
Cross-site scripting is still one of the most common ways to attack a user's machine. However, you
can largely eliminate an attacker's ability to infect your web application with malicious code. When
writing your application, be diligent about encoding all variable output in a page before sending it to
the end user's browser.