Meena Vyas

All | WebServer7.0
« Dynamic compression... | Main | Solaris Cryptographi... »
20060613 Tuesday June 13, 2006

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

Cross Site Scripting Prevention in Sun Java System Web Server 7.0

    Check out the new improvements we made in  Sun Java System Web Server 7.0 Technology Preview 3. It can be downloaded for free from here. In this blog I will talk about Cross Site Scripting (XSS) prevention.

Obj.conf now supports a lot of features which allows you to use it a lot like a programming language, which allows us to configure in our WebServer features similar to in ModSecurity Apache Module.

The main method of preventing Cross Site Scripting (XSS) is through entity encoding, using entities such as "<".  We now have a introduced a native input stage filter based on sed which can do XSS filtering. This sed-request filter applies sed edit commands to an incoming request entity body, e.g. an uploaded file or submitted form.

Input fn="insert-filter" ... filter="sed-request" sed="script" [ sed="script" ... ]


For example, if we take example of request body posted in HTML form containing  "<" and ">" characters. In ModSecurity you have SecFilter like

SecFilterEngine On
SecFilterScanPOST On
SecFilter "<(.|\n)+>"

By adding the following in obj.conf, Web Server 7 will encode any "<" and ">" characters

Input fn="insert-filter"
method="POST"
filter="sed-request"
sed="s/(<|%3c)/\\&lt;/gi"
sed="s/(>|%3e)/\\&gt;/gi"

* Note that because POST bodies are usually URL-encoded, it is important to check for URL-encoded forms also when editing POST"%3C" is the URL-encoded form of "<" and bodies. "%3E" is the URI-encoded form of ">".

Let us know your opininon about the cool features of Web Server 7.0 at webserver7_ea@sun.com . Posted by meena ( Jun 13 2006, 11:49:12 AM IST ) Permalink Comments [0]

Trackback URL: http://blogs.sun.com/meena/entry/cross_site_scripting_prevention_in
Comments:

Post a Comment:

Name:
E-Mail:
URL:

Your Comment:

HTML Syntax: NOT allowed

Calendar

Search

Links

RSS Feeds

Navigation

Referers