struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Van Riper, Mike" <mvanri...@verisign.com>
Subject Cross Site Scripting (XSS) issues with Struts 1.1-b2?
Date Mon, 09 Sep 2002 04:29:10 GMT
If you are not familiar with what I mean by cross site scripting (XSS), here
are two links with information about it:

   http://www.cgisecurity.com/articles/xss-faq.shtml

   http://www.cert.org/advisories/CA-2000-02.html

According to the first FAQ above, some of the things that should be done to
protect your web application are:

    "Never trust user input and always filter metacharacters. This will
eliminate the majority of XSS attacks. Converting < and > to &lt; and &gt;
is also suggested when it comes to script output. Remember XSS holes can be
damaging and costly to your business if abused. Often attackers will
disclose these holes to the public, which can erode customer and public
confidence in the security and privacy of your organization's site.
Filtering < and > alone will not solve all cross site scripting attacks and
it is suggested you also attempt to filter out ( and ) by translating them
to &#40; and &#41;, and also # and & by translating them to &#35 (#) and
&#38 (&)."

I saw some old discussions on the Struts-Dev list about default behavior in
the <bean:write> custom tag. Checking recent documentation, the default
behavior is to do this sort of filtering/conversion now for <bean:write>.
So, that particular aspect is covered as long as I don't explicitly set the
"filter" attribute to "false" in my <bean:write> tags.

I didn't see any discussion of how Struts processes request parameters when
auto-populating form beans. Is similar filtering/conversion being done there
as well? Are there any other aspects of this particular security issue that
I need to be concerned about while developing my web application with Struts
1.1-b2?

- Mike Van Riper
  mailto:mvanriper@verisign.com

--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message