Code I/O

A topnotch WordPress.com site

5 Minutes on Java – A dictionary based XSS detection …

Leave a comment

Cross-Site-Scripting detection is a very fundamental thing to do for web developers.  Often, this is one of prime security concerns.  There are many ways one can implement them, depending on where XSS must be detected.

Let me bring the context of servlets and XSS validation.  The simplest way is to validate all the parameters before processing them.  This way, SQL injection using XSS can be caught, or even running some kind of code can be forbidden which can be useful incases where forwards are done.

This XssValidator class should do the job, since its dictionary based, dictionary can be updated to beef-up protection against vulnerabilities as and when new ones are found.

package udy.foss.utils;

import java.io.BufferedReader;
import java.io.DataInputStream;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.util.ArrayList;

import org.apache.log4j.Logger;

public class XssValidator {
	private static final Logger logger = Logger.getLogger(XssValidator.class.getName());
	private static ArrayList dictionary = new ArrayList();

	public static void loadDictionary(FileInputStream fis){
		try{
			DataInputStream in = new DataInputStream(fis);
			BufferedReader br = new BufferedReader(new InputStreamReader(in));
			String strLine;

			// Read each vulnerability
			while((strLine = br.readLine()) != null) {
				// Add only non-empty lines
				if(strLine.trim().length() > 0) {
					// Add the line to dictionary only if the rule is not in dictionary
					if(dictionary.contains(strLine) == false) {
						dictionary.add(strLine);
					}
				}
			}

			in.close();
		}catch (Exception e){
			logger.debug("Exception loading dictionaryt" + e.getMessage());
		}
	}

	public static boolean isSafe(String string){
		if(string == null || string.length() <= 0) return true;

		for(int idx = 0; idx < dictionary.size(); idx++){
			String rule = (dictionary.get(idx).trim().toLowerCase());
			if(string.trim().toLowerCase().contains(rule)){
				return false;
			}
		}
		return true;
	}
}

Consider a servlet which initializes and loads the dictionary using the below method.

synchronized public static void initialize(ServletConfig config) throws ServletException {
		try {
			XssValidator.loadDictionary(new FileInputStream(config.getServletContext().getRealPath("WEB-INF/XSS.dict")));
		}catch(Exception e){
			logger.debug("Exception loading XSS dictionary");
		}
	}

Once the dictionary is loaded, the parameters can be validated using the Validator method.

String someParam = request.getParameter("someParam");
	if(XssValidator.isSafe(someParam)){
		// Take some action here
	}

The content of the XSS.dict is enclosed below.

%3c
&gt
>
&lt
<
:expr
:url
?import
@import
@import
cdata[
[cdata
<?xml
alert
background =
background=
background-image
behavior:
bgsound
classid =
classid=
cmd =
cmd=
content =
content=
data:
datasrc =
datasrc=
dynsrc =
dynsrc=
expression
href =
href=
http:
http-equiv =
http-equiv=
id=
image/svg+xml
implementation =
implementation=
javascript
javascript:
layer
list-style-image
livescript
livescript:
lowsrc =
lowsrc=
namespace
onload
rel =
rel=
script
src =
src=
style=
stylesheet
text/css
text/html
text/javascript
text/x-scriptlet
type =
type=
url =
url=
vbscript
vbscript:
xss
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s