Page History

Cross-site scripting (XSS) protection

Cross-site scripting, also known as XSS protection, is implemented as an IValueFormatter for values coming from external sources. It implements basic HTML escaping as described on the OWASP website using a normalization and targeted replace technique.

1. Web application - data from inputs are formatted in the controllers before being processed;
2. Development plugin - modifying the profile from the development plugin will use formatted values as well;
3. Web services - both REST and SOAP services are protected against XSS by the formatter;
4. The Request Parameters plugin.

Canonicalization

All input is transformed into a canonical form before validation. Canonicalization involves URL- and HTML-decoding the input.

JAVA Runtime: We use ESAPI to canonicalize the input string to improve the detection. We allow mixed and multiple encodings before we validate if no malicious pattern is found. You can disallow multiple and mixed encoding by specifying your own ESAPI.properties. You can specify the location of this file by passing the environment setting org.owasp.esapi.resources. When ESAPI throws an IntrusionException an empty string will be used.

.NET Runtime: By default , ASP.NET framework does not canonicalize strings, but it protects web application from requests that might contain dangerous content. From MSDN : Request validation is a feature in ASP.NET that examines an HTTP request and determines whether it contains potentially dangerous content. In this context, potentially dangerous content is any HTML markup or JavaScript code in the body, header, query string, or cookies of the request. ASP.NET performs this check because markup or code in the URL query string, cookies, or posted form values might have been added for malicious purposes. Enabling or disabling canonicalization is not applicable anymore, since the feature that protected the .NET Runtime against dangerous content is part of the main Request Validation feature, which we recommend against disabling. More information about Request Validation done by ASP.NET and how it can be disabled can be found here: https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx .

this is enabled.

The property should be:

blueriq.security.xss-protection.enabled=true

To disable use:

blueriq.security.xss-protection.enabled=false

XSS Components

The above properties enable/disable cross site scripting protection as a whole. If needed, custom rules can be applied, as described below. Cross site scripting protection has the following components :

1. Setting the HTTP header
2. Request body validation
3. Request parameters validation
4. Request url validation
5. Multipart request validation
6. Whitelist
7. Blacklist

By default all components are enabled.

By default all components are enabled.

The properties should be:

blueriq.security.xss-protection.header.enabled=true

request-parameter-validation.enabled=true
blueriq.security.xss-protection.request-url-validation.enabled=true
blueriq.security.xss-protection.whitelist.enabled=true
blueriq.security.xss-protection.blacklist.enabled=true

To disable use:

XSS Components

The above properties enable/disable cross site scripting protection as a whole. If needed, custom rules can be applied, as described below. Cross site scripting protection has the following components :

1. Setting the HTTP header
2. Request body validation
3. Request parameters validation
4. Request url validation
5. Multipart request validation
6. Whitelist
7. Blacklist

By default all components are enabled.

 1 Header

For the header there are no additional parameters.

2 Request Body Validation

This property refers to validation for POST requests that contain an application/json request body. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request body.

3 Request Parameter Validation

This property refers to validation for request parameters. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request parameters.

4 Request URL Validation

This property refers to validation for request URL. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request URL.

5 Multipart Request Validation

This property refers to validation for multipart requests. Body parts that have content-type "application/json" are validated the same way as for the Request Body Validation. When this type of validation is enabled, the request is blocked if dangerous input is detected in the JSON request parts.

Note: for all of the properties above , dangerous input is determined by the blacklist and whitelist configuration.

6 Whitelist Customization

(White list validation is appropriate for all input fields provided by the user. White list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized.)
By default, when the XSS Whitelist protection is activated, all tags and attributes are blocked.

Note: If an attribute is marked as an URI attribute, then the attribute value must be a URI, otherwise it will not pass the validation and itwill be removed

Whitelist configuration examples

 1 Header

For the header there are no additional parameters.

2 Request Body Validation

This property refers to validation for POST requests that contain an application/json request body. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request body.

3 Request Parameter Validation

This property refers to validation for request parameters. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request parameters.

4 Request URL Validation

This property refers to validation for request URL. When this type of validation is enabled, the request is blocked if dangerous input is detected in the request URL.

5 Multipart Request Validation

This property refers to validation for multipart requests. Body parts that have content-type "application/json" are validated the same way as for the Request Body Validation. When this type of validation is enabled, the request is blocked if dangerous input is detected in the JSON request parts.

Note: for all of the properties above , dangerous input is determined by the blacklist and whitelist configuration.

6 Whitelist Customization

(White list validation is appropriate for all input fields provided by the user. White list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized.)
By default, when the XSS Whitelist protection is activated, all tags and attributes are blocked.

blueriq.security.xss-protection.whitelist.allowed

-global-attributes=class,tabindex,title
# define what attribute are allowed on each tag
blueriq.security.xss-protection.whitelist.allowed-

attributes.q=cite
blueriq.security.xss-protection.whitelist.allowed-attributes.

img=src,alt
# define which attributes of which tags can contain URIs and are subject to the allowed-protocols restrictions
blueriq.security.xss-protection.whitelist.uri-attributes.a=href
blueriq.security.xss-protection.whitelist.uri-attributes.

Note: If an attribute is marked as an URI attribute, then the attribute value must be a URI, otherwise it will not pass the validation and itwill be removed

If an attribute is not marked as URI, but does contain a URI value, it will pass the Whitelist validation. Make sure to set this marker for all attributes that might have an URI value. If an attribute is marked as URI, but does not contain a URI value, it will be passed through a URL sanitization, and special characters will be URL-encoded.
ASP.NET framework provides a certain degree of protection against XSS attacks. In order to allow certain HTML elements that are added through configuration as described above, the following additional setting has to be present in Web.config: See httpRuntime element, the requestValidationType attribute :

allowed-protocol

name

allowed-tag

name

name 

isUriAttribute

<system.web>
    <httpRuntime maxRequestLength="2097151" executionTimeout="1200" requestValidationType="Aquima.WebApplication.Foundation.Filters.XssUrlSecurityRequestValidator, WebCore"/>
</system.web>

Whitelist configuration examples

7 Blacklist

The blacklist checks the input against predefined regular expressions. The blacklist can be enabled or disabled with the following settings:

X-XSS-Protection Header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. The response header that will be sent:

X-XSS-Protection: 1; mode=block

Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

Registering custom XSS protection components

In case the default blacklist and/or whitelist implementations are not sufficient, it is possible to register custom blacklist and/or whitelist implementations.

7 Blacklist

The blacklist checks the input against predefined regular expressions. The blacklist can be enabled or disabled with the following settings:

By default this is enabled.

The property should be:

blueriq.security.xss-protection.blacklist.enabled=true

To disable use:

blueriq.security.xss-protection.blacklist.enabled=false

X-XSS-Protection Header

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. The response header that will be sent:

X-XSS-Protection: 1; mode=block

Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

By default all components are enabled.

The properties should be:

blueriq.security.xss-protection.header.enabled=true

To disable use:

blueriq.security.xss-protection.header.enabled=false

Registering custom XSS protection components

In case the default blacklist and/or whitelist implementations are not sufficient, it is possible to register custom blacklist and/or whitelist implementations.

Create your own blacklist implementation:

import com.aquima.interactions.project.impl.xss;

public class SampleXssBlacklist implements IXssBlacklist {
  public String sanitize(String input) {
    // custom input sanitization
  }
  public boolean isValid(String input) {
    // custom input validation
  }
}

Create your own whitelist implementation:

import com.aquima.interactions.project.impl.xss;
public class SampleXssWhitelist implements IXssWhitelist {
  public String sanitize(String input) {
    // custom input sanitization
  }
  public boolean isValid(String input) {
    // custom input validation
  }
}

Expose your custom blacklist and/or whitelist implementations as Spring beans:

@Configuration
public class SampleXssConfiguration {
  @Bean
  public IXssBlacklist xssBlacklist() {
    return new SampleXssBlacklist();
  }
  @Bean
  public IXssWhitelist xssWhitelist() {
    return new SampleXssWhitelist();
  }
}

The Runtime will automatically detect your custom implementations and register them instead of the default implementations.

Potential problems

1. In its current form, the formatter does not provide 100% protection against cross-site scripting. Other countermeasures (such as a web application firewall) are recommended. See the OWASP website for more information on XSS attacks.
2. It is not possible to disallow XML/HTML content in the profile values because there are valid use cases which require this. Therefore the decision to protect only the entry points mentioned above has been made. It is the responsibility of the developer using extension points to make sure the values inserted into the profile are validated against XSS.

Potential problems

1. In its current form, the formatter does not provide 100% protection against cross-site scripting. Other countermeasures (such as a web application firewall) are recommended. See the OWASP website for more information on XSS attacks.
2. It is not possible to disallow XML/HTML content in the profile values because there are valid use cases which require this. Therefore the decision to protect only the entry points mentioned above has been made. It is the responsibility of the developer using extension points to make sure the values inserted into the profile are validated against XSS.
3. The .NET whitelist considers input such as "a<b" as invalid, as "<b" is interpreted as an unclosed tag. This is a known limitation in the .NET Runtime. We recommend using a space after the less than sign which is considered a valid input (eg. "a < b" instead of "a<b"). The consequences of this limitation are:
   • Requests with parameters of this form a. will be blocked
   • Values entered in fields (profile) or comments will be sanitized by removing everything after the greater than sign (eg. "a<b" will be sanitized to "a")
4. The .NET whitelist considers URI values such as "http://www.example.com" as invalid. A valid URI must have a path component (eg. "http://www.example.com/" - notice the slash at the end). The consequences of this limitation are:
5. Requests with parameters containing tags with URI attributes of the form "http://www.example.com" (i.e. without a trailing slash) will be blocked
6. Values entered in fields (profile) or comments containing tags with URI attributes will be sanitized (eg. the input <a href="http://www.example.com">link</a> will be sanitized to <a href="http://www.example.com/">link</a>)

Hiding the WSDL

WSDL files provide detailed information about the services ports and bindings available to web server. An attacker can try to submit special characters or malicious content to the Web service and potentially cause a denial of service condition or unauthorised access to database records. In addition, the attacker may try to guess other 'private' (unexposed) methods by using the information provided in the WSDL files.

For example the following web service description was discovered:

ManagementService.wsdl

The URL of the above WSDL is:

https://<host>:<port>/Services/Managementsservice?singleWsdl

Recommendation: The access to WSDL file should be limited as much as possible (for example the entry point should go thourgh nginx [https://nginx.org/en/] or something similar). If services are provided only to a limited number of entities, it may be better to provide WSDL privately to each of these entities than to publish WSDL publicly.