Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)

Shruti picture Shruti · Feb 12, 2016 · Viewed 13.4k times · Source

I have scan my application in HP fortify portal and getting an issue Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow).

I am already using ESAPI library.

What should I do to solve this issue. Is there any other library/jar to validate the inputs.

Thanks in advance.

Answer

user1836982 picture user1836982 · Mar 5, 2016

Fortify "Cross-Site Scripting: Poor Validation" is complaining that your OUTPUT encoding is either improper or not effective. The purpose of the output encoding (escaping) is to confine the special characters (meta char) as literal string, so they cannot be executed as a command.

To remediate, you do:

Step#1. Determine who is going to consume this "to be encoded context"?

Step#2. Properly Encode the context based on the delivery protocol and the down stream needs. For example:

  • If data being consumed at the [?query] part of the URL, you need to find a function to wrap (aka encode, escape) 18 reserved characters (! * ' () ; : @ & = + $ , / ? #[]) that have special meaning to the HTTP protocol (not necessary encode the entire URL). (read RFC3986 Sec 2.2 for details)
  • IF data being consumed as an XML Entity, you need to encode 5 meta characters (& < > " ') (check W3C XML Spec Sec 2.4). But, this is not always true. Data used as comment, the processing instructions, or in CDATA section don't need to be encoded.

Step#3. Collect encoding examples for future pick and use:(sorry, when post as code, some contents changed, so post as image)

need to consider overhead of ESAPI library, is it worth to load 30 MB jar for one fix?
enter image description here

enter image description here

Output encoding using light weight org.owasp.encoder library

enter image description here