struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Van Riper, Mike" <mvanri...@verisign.com>
Subject RE: Cross Site Scripting (XSS) issues with Struts 1.1-b2?
Date Mon, 09 Sep 2002 17:00:48 GMT
Some additional information, from reviewing the Struts 1.1-b2 source code,
is interspersed below.

> -----Original Message-----
> From: Van Riper, Mike 
> Sent: Sunday, September 08, 2002 9:29 PM
> To: List Struts-User (E-mail)
> Subject: Cross Site Scripting (XSS) issues with Struts 1.1-b2?
> 
> 
> If you are not familiar with what I mean by cross site 
> scripting (XSS), here
> are two links with information about it:
> 
>    http://www.cgisecurity.com/articles/xss-faq.shtml
> 
>    http://www.cert.org/advisories/CA-2000-02.html
> 
> According to the first FAQ above, some of the things that 
> should be done to
> protect your web application are:
> 
>     "Never trust user input and always filter metacharacters. 
> This will
> eliminate the majority of XSS attacks. Converting < and > to 
> &lt; and &gt;
> is also suggested when it comes to script output. Remember 
> XSS holes can be
> damaging and costly to your business if abused. Often attackers will
> disclose these holes to the public, which can erode customer 
> and public
> confidence in the security and privacy of your organization's site.
> Filtering < and > alone will not solve all cross site 
> scripting attacks and
> it is suggested you also attempt to filter out ( and ) by 
> translating them
> to &#40; and &#41;, and also # and & by translating them to 
> &#35 (#) and
> &#38 (&)."

According to the Struts 1.1-b2 source code for ResponseUtils.filter(), it
only converts "<", ">", "&" and """ to the equivalent character entity
references. Is the excerpt from the online XSS FAQ above mistaken, or is it
necessary to filter for "(", ")" and "#" too?

> I saw some old discussions on the Struts-Dev list about 
> default behavior in
> the <bean:write> custom tag. Checking recent documentation, 
> the default
> behavior is to do this sort of filtering/conversion now for 
> <bean:write>.
> So, that particular aspect is covered as long as I don't 
> explicitly set the
> "filter" attribute to "false" in my <bean:write> tags.
> 
> I didn't see any discussion of how Struts processes request 
> parameters when
> auto-populating form beans. Is similar filtering/conversion 
> being done there
> as well?

I found in the 1.1-b2 source download that ResponseUtils.filter() is being
called in all the <html> taglib tags that populate form fields with text
values. Actually, it is called in BaseFieldTag.java for the text tags which
extend from it and additionally in a few other tags that don't extend from
it (e.g., TextareaTag.java). So, it doesn't matter so much whether the
request parameters are filtered/converted when populating form beans because
on the way back out to populate the form field values in the JSPs it will
happen automatically as long as I am using the Struts <html> custom tags.

FYI, ResponseUtils.filter() is the same method called in <bean:write> when
the "filter" attribute is not explicitly set to "false".

> Are there any other aspects of this particular 
> security issue that
> I need to be concerned about while developing my web 
> application with Struts
> 1.1-b2?

Assuming the filtering of "<", ">", "&" and """ and converting them to the
equivalent character entity references is sufficient, it looks like the XSS
vulnerability is being handled in the Struts custom tags by the usage of
ResponseUtils.filter(). 

> - Mike Van Riper
>   mailto:mvanriper@verisign.com

- Mike Van Riper 

--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message