Java J2ee Struts Spring JSP Cross Site Scripting or XSS framework library tools

There are many ways to handle XSS or cross-site scripting problems in Java, J2EE, Struts, Spring, and JSP. This post covers the most popular tools and ways to do that. In this post, I will explain tools like:

• Hdiv

• Reform

• XssProtect

• AntiXSS for Java

Ways to fix XSS issues in Java

1. Servlet Filters: This is the most common way perhaps to have an inbound servlet filter that intercepts each incoming request and wraps it in a HttpRequestWrapper that returns each parameter value cleaned from XSS possibilities. One can see the code snippet here. The approach shown in this example is pretty simple. The request wrapper cleans the script tag and the < and > symbols. So this solution is not protecting you from SQL Injection attacks by default. So if one needs more secure filtering, one can mix it with libraries like Reform, XssProtect, or AntiXss. So this mix-and-match solution will give you a good solution.

2. JSP Printing: The other way to safeguard yourself is to not use scriptlets like <%= at all for printing any data that carries user-inputted values. Instead of using scriptlet, one can use tags that escape the value printed in HTML, like c:out. This tag by default escapes all the XML tags. So even if some hacker has added some script or other malicious item to the requested data, you will be safe.

3. Cookie: It's best to exchange cookies in secure mode. Try to use HTTPS/SSL only in the case of public sites with crucial transactions. So if one is using HTTPS and cookies, the Java Cookie object’s "setSecure()" method should be called to ensure that “the browser will send the cookie using a secure protocol only, such as HTTPS or SSL”.

4. ViewHelpers/Renders: If one is preparing some HTML to be rendered in View Helper/Renders. One can use libraries like Reform. This will ensure that any risk is properly encoded and cleaned to be written as HTML.

Tools to fix XSS issues in Java

1. HDIV: If you have an MVC-based J2EE App that uses either Struts or Spring, the best solution available today is HDIV. This tool is compliant with all possible standards laid out by OWASP. The cipher and hash mechanism employed ensures that each tampered request is always detected and fails to do any security breach. This library requires very little integration effort because it overrides the existing tags in both spring and struts. So one can just keep on using the existing code after doing the minimal setup. Using HDIV with plain JSTL tags overrides the CORE library for c:url and c:redirect tags.

   
   

2. Reform: This library is released by OWASP for Java. It's useful for encoding various HTML stuff like HTML code, attributes, and javascript stuff.

   
   

3. XssProtect: This library is available at Google Code Project. It's a pluggable filter-based mechanism that supports the addition of custom filters too. This library's developers say that it is tested against all tests mentioned in http://ha.ckers.org/xss.htm.

4. Anti-XSS for Java: This library is a port of Microsoft Anti Xss Library to Java. So anyone familiar with the Microsoft version will be more comfortable using this library. It again gives a couple of methods useful for encoding HTML code, attributes, and script stuff against XSS.

Disclaimer: The information in this blog reflects methods and updates available at the time of writing.

Let’s Talk!

Drop a note below to move forward with the conversation 👇🏻