how to prevent XSS (cross site script)attack in livesite

Hi ,

web page having the form ,when submit the form we are inject some malicious script code in request to execute.

ex : " onload=prompt('Testing-for-XSS') bad="

the above script is executing when page on load.

i have written some java code to remove malicious code using ESAPI library its working but issue is ,js have more than 100 events .hacker can use any event to inject mailicous script.

how can put all the js event to check ?

attached java code for refernce .

is Interwoven providing any thing for XSS attack?

Thanks ,

Rajaguru

Find more posts tagged with

Comments

Rick Poulin

I feel like I've answered this question before but I can't find the thread..

Anyway, there's nothing (or very little) in vanilla LiveSite that can be hacked in this fashion. There's nothing in the product to prevent XSS because there's by default, there's nothing there to hack in the first place. So when you build your components and custom functionality, the onus is on your to properly sanitize your inputs.

pratrix

We had similar requirement for website. There are multiple ways to implement,

Extend RuntimeRequestContext getParameterString method to perform XSS check. However getParameterString is getting marked as "deprecated" since last two or three versions of LiveSite. I do not know the alternative method.
Create XSS Filter for your web application and configure it in web.xml . These filter could go through whitelist of parameters that you might use in code.

Also better way is to whitelist parameter values using regex. There is very nice ESAPI available that works well with extended getParameterString
ESAPI will also perform encoding and multi-encoding checks

Rajaguru82

Thanks Pratish , yes already used ESAPI library for XSS fix.

Rajaguru