Udy's engravings

Creating a new dimension …

«
»

5 Minutes on Java – A dictionary based XSS detection …

Posted by Udy on May 7, 2009

Cross-Site-Scripting detection is a very fundamental thing to do for web developers.  Often, this is one of prime security concerns.  There are many ways one can implement them, depending on where XSS must be detected.

Let me bring the context of servlets and XSS validation.  The simplest way is to validate all the parameters before processing them.  This way, SQL injection using XSS can be caught, or even running some kind of code can be forbidden which can be useful incases where forwards are done.

This XssValidator class should do the job, since its dictionary based, dictionary can be updated to beef-up protection against vulnerabilities as and when new ones are found.


package udy.foss.utils;

import java.io.BufferedReader;
import java.io.DataInputStream;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.util.ArrayList;

import org.apache.log4j.Logger;

public class XssValidator {
	private static final Logger logger = Logger.getLogger(XssValidator.class.getName());
	private static ArrayList dictionary = new ArrayList();

	public static void loadDictionary(FileInputStream fis){
		try{
			DataInputStream in = new DataInputStream(fis);
			BufferedReader br = new BufferedReader(new InputStreamReader(in));
			String strLine;

			// Read each vulnerability
			while((strLine = br.readLine()) != null) {
				// Add only non-empty lines
				if(strLine.trim().length() > 0) {
					// Add the line to dictionary only if the rule is not in dictionary
					if(dictionary.contains(strLine) == false) {
						dictionary.add(strLine);
					}
				}
			}

			in.close();
		}catch (Exception e){
			logger.debug("Exception loading dictionary\t" + e.getMessage());
		}
	}

	public static boolean isSafe(String string){
		if(string == null || string.length() <= 0) return true;

		for(int idx = 0; idx < dictionary.size(); idx++){
			String rule = (dictionary.get(idx).trim().toLowerCase());
			if(string.trim().toLowerCase().contains(rule)){
				return false;
			}
		}
		return true;
	}
}

Consider a servlet which initializes and loads the dictionary using the below method.


synchronized public static void initialize(ServletConfig config) throws ServletException {
		try {
			XssValidator.loadDictionary(new FileInputStream(config.getServletContext().getRealPath("WEB-INF/XSS.dict")));
		}catch(Exception e){
			logger.debug("Exception loading XSS dictionary");
		}
	}

Once the dictionary is loaded, the parameters can be validated using the Validator method.


String someParam = request.getParameter("someParam");
	if(XssValidator.isSafe(someParam)){
		// Take some action here
	}

The content of the XSS.dict is enclosed below.


%3c
&gt
>
&lt
<
:expr
:url
?import
@im\port
@import
cdata[
[cdata
<?xml

alert
background =
background=
background-image
behavior:
bgsound
classid =
classid=
cmd =
cmd=
content =
content=
data:
datasrc =
datasrc=
dynsrc =
dynsrc=
expression
href =
href=
http:
http-equiv =
http-equiv=
id=
image/svg+xml
implementation =
implementation=
javascript
javascript:
layer
list-style-image
livescript
livescript:
lowsrc =
lowsrc=
namespace
onload
rel =
rel=
script
src =
src=
style=
stylesheet
text/css
text/html
text/javascript
text/x-scriptlet
type =
type=
url =
url=
vbscript
vbscript:
xss

This entry was posted on May 7, 2009 at 4:29 PM and is filed under Java. Tagged: , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»