Java Stack Security (Encoding) Tech Tip

On the Stack, we consider Security to be one of our main priorities so we have provided some utilities to facilitate correct security practices in development, and to enable developers to create more secure applications when using Stack 3.0 frameworks.

While there are many aspects to Stack security, this tech tip will focus on defending against one of the most common and pervasive vulnerabilities, cross-site scripting. Cross-site scripting (XSS), which year after year shows up as #1 or #2 on the Open Web Application Security Project (OWASP)'s top ten security risks list, most often occurs when an application attempts to display user input containing script that actually executes instead of just being displayed as text. For instance, if a user enters valid script, such as <script>alert('XSS');</script> into a text field on a data entry page, and the application later renders the data entered, if the alert actually pops up (i.e. the input executes as script), as opposed to displaying the text <script>alert('XSS');</script>, then there is a cross-site scripting vulnerability. The theory is that while this example is benign, if you can execute script you can do something much more devious. More specifically, through cross-site scripting an attacker could potentially:

  1. Steal a user’s session and login as that user. This would allow the attacker to access data and perform actions that are potentially sensitive.
  2. Deface the site and display inappropriate or embarrassing content. This could result in undesirable media coverage and loss of reputation.
  3. "Hook" a victim’s browser with an exploitation framework. These frameworks allow the attacker to further compromise the victim’s machine and attack the victim’s internal network. This would potentially allow an attacker to exploit systems that sit behind the victim’s firewall.

As you can see, cross-site scripting opens the door to a host of vulnerabilities, which is why it is so important to defend against it. The most common ways to mitigate this security vulnerability are by validating input, and by encoding output. This tech tip focuses on encoding output, but it is worth noting that the Java Stack does provide validation utilities for when users are allowed to enter HTML in a rich text scenario.

We have an EncodingUtils class with three basic methods. Please visit the documentation links for further usage examples and information about each.

  1. encodeHtml
  2. encodeAttribute
  3. encodeJS

For each of these functions, we have also provided corresponding JSP functions, for use in web pages, which could be utilized as follows:

<%@ taglib prefix="ssw" uri="" %>

The Stack security documentation explains usage in great detail and provides additional information and examples pertaining to the subject.

Also, stay tuned for future Stack Security enhancements. You can find more information on the wiki, or by searching Jira for "stack-security".

This page was last modified on 17 June 2011, at 13:26.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.