Preventing Cross Site Scripting Attacks

Cross site scripting (XSS) is a common security problem of web applications where an attacker gains access to the users current web browser session.

Web sites today are highly complex containing huge amount of dynamic content, which are generated through web applications, delivering different output depending on the requirement of the user. An attacker may inject malicious data or scripting code into pages generated by the web application and it may appear as a valid content from a trusted site. Such HTML pages pose security risk, if inputs are not validated by the web application. In the user's generated output browser page, the scripting code is executed and facilitates the transfer of sensitive data to the attacker. Through an XSS attack, confidential information like ID, password, security access information and credit card information, can be obtained.

Cross site scripting thus pose an immense risk to individuals or an entire organization. Input validation at all application points that accept data on the server side is one way of solving this problem.

In Web Server 7.0 XSS prevention is accomplished through the addition of sed-request filter and entity encoding, using entities like &lt; and &gt; which encodes < and > characters.

An input stage filter, the sed-request applies sed edit commands to an incoming request.

Input fn="insert-filter" filter="sed-request" sed="script"

where script is the actual sed script you want to run on request body.

To configure XSS prevention, add the below information in the obj.conf file's default object:

Input fn="insert-filter"
method="POST"
filter="sed-request"
sed="s/(<|%3c)/\\</gi"
sed="s/(>|%3e)/\\>/gi"

For information about sed-request, see sed-request in Oracle iPlanet Web Server 7.0.9 Administrator’s Configuration File Reference.