Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Mitigating XSS in existing JEE apps with AOP - Proof of Concept

From: rklists at gmail.com (Rohit Lists)
Date: Tue, 13 Jan 2009 21:51:09 -0500
Hi all,

As some of you may know I've spent some time researching how to apply
Aspect Oriented Programming (AOP) to web application security. I
haven't been able to spend as much time on the topic as I'd like, but
I was able to come up with a proof of concept for Java EE
applications.

I created an HTML encoding aspect using AspectJ that automatically
encodes all dangerous data within a Servlet or JSPs prior to printing
to stream. The net result is a tool that should effectively stop the
vast majority of XSS attacks on many existing Java EE apps with only a
few lines of code. Although I still need to test thoroughly, with the
proof of concept I was able to secure WebGoat from nearly all
server-side XSS with about 16 unique lines of code in one file. I was
also able to protect Daffodil CRM from thousands of XSS vulns with
about 3 unique lines of code in one file.

Now the catch(es):
-The proof of concept hasn't undergone any rigorous testing. Moreover,
I don't have done any performance testing.
-The proof of concept won't currently work with tag libraries but we
will be able to extend it to automatically HTML encode data in JSTL
and other common tag libraires.
-The proof of concept only performs HTML encoding, it does not perform
JavaScript or HTML Attribute encoding
-The library will only ever protect against Java EE server-side code,
it will never protect against client-side DOM-based XSS or XSS where
HTML encoding is an insufficient protection

Right now I'm looking for help from people who can critique the design
for holes, test the proof of concept, etc prior to releasing the tool
to the public in an open source library.  If you're interested in this
or would simply like to know more, please ping me. I haven't set the
AOP Security library up as a project in a code repository yet but I
intend to do so after I've had a few other people look over the proof
of concept.

Thanks,

Rohit


-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
Previous By Date Next
Previous By Thread Next

Current thread: