Websites get complex day by day with lot of dynamic content to display. So the vulnerability is also proportionate. Cross Site Security Issue is one of them. Let me explain this in terms of what I had faced.
So in an e-Commerce site, we normally have an option to search. Now we search for a term say “ffddjkl” . There is no result associated with that search term. So we display a message indicating that similar to following.
There are no results associated with the term ffddjkl.
Now suppose you have given <EMBED SRC=”http://www.htmlcodetutorial.com/graphics/sounds/1812over.mid” AllowScriptAccess=”always”></EMBED>in the search text field. Obviously there is no results for this term. So we display the the above message, with the new search text. Here comes the vulnerability, when you get the search results page, the midi file gets started to play. So you get the security catch, right?
Here we use the following code segment to display the message.
<fmt:message key=”resourceBundleKey”>
<fmt:param value=”${param.searchText}”/>
</fmt:message>
To avoid the vulnerability, we should have something like this.
<fmt:message key=”resourceBundleKey”>
<fmt:param>
<c:out value=”${param.searchText}” escapeXml=”true”/>
</fmt:param>
</fmt:message>
When you have a tag that doesn’t allow you to set the value by tag body rather than by attribute, use the following.
<c:set var=”myEscapedVar” scope=”page”>
<c:out value=”${param.someRequestParameter}” escapeXml=”true”/>
</c:set>
<some:tag value=”${pageScope.myEscapedVar}”/>
For more information on XSS information, visit the http://www.cgisecurity.com/xss-faq.html
Reference: http://michaelstudman.com/fullfathomfive/articles/2004/05/31/el-and-cross-site-scripting-attacks-jsp-2-functions-to-the-rescue
