Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow)

java struts fortify esapi
15,705

Fortify "Cross-Site Scripting: Poor Validation" is complaining that your OUTPUT encoding is either improper or not effective. The purpose of the output encoding (escaping) is to confine the special characters (meta char) as literal string, so they cannot be executed as a command.

To remediate, you do:

Step#1. Determine who is going to consume this "to be encoded context"?

Step#2. Properly Encode the context based on the delivery protocol and the down stream needs. For example:

  • If data being consumed at the [?query] part of the URL, you need to find a function to wrap (aka encode, escape) 18 reserved characters (! * ' () ; : @ & = + $ , / ? #[]) that have special meaning to the HTTP protocol (not necessary encode the entire URL). (read RFC3986 Sec 2.2 for details)
  • IF data being consumed as an XML Entity, you need to encode 5 meta characters (& < > " ') (check W3C XML Spec Sec 2.4). But, this is not always true. Data used as comment, the processing instructions, or in CDATA section don't need to be encoded.

Step#3. Collect encoding examples for future pick and use:(sorry, when post as code, some contents changed, so post as image)

need to consider overhead of ESAPI library, is it worth to load 30 MB jar for one fix?
enter image description here

enter image description here

Output encoding using light weight org.owasp.encoder library

enter image description here

Share:
15,705
Shruti
Author by

Shruti

Updated on June 05, 2022

Comments

  • Shruti
    Shruti almost 2 years

    I have scan my application in HP fortify portal and getting an issue Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow).

    I am already using ESAPI library.

    What should I do to solve this issue. Is there any other library/jar to validate the inputs.

    Thanks in advance.

  • Shruti
    Shruti about 8 years
    Hi, Thanks for the help
  • Shruti
    Shruti about 8 years
    I have used ESAPI.encoder() to encode the value. Am I going on right way?
  • SecurityNinja
    SecurityNinja about 8 years
    sorry was travelling , that is not correct , you need to use encoding as per your context ...I can see other user has answered it in detail ..which looks like a perfect solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

ESAPI for XSS prevention not working
Keep the radio button selected after refreshing the page or submitting the request
How to pass a parameter in URL on a form submit in Struts2
Debug GWT Application with Tomcat (Eclipse)
Convert FormFile to Java.io.File
HTTP Status 404 - Invalid path was requested
HTTP Status 500 - javax.servlet.ServletException file not found
Correct location for ESAPI.properties under web project
Struts 1 - struts-taglib.jar is not being found by my web application
Using Java sessions for login/logout