Wednesday, 15 February 2012

jsp - XSS protection on already production project -


We are putting sublet and struts based applications. This is a big application with the JSP written question and prone of XSS (request value is printed-in JSP). Its a big application with 200 jsp

We want to fix XSS attack in such a way that the minimum code change is made so that the QA dev cycle is small and QA gets more time.

Thanks

The only way to actually work is to create a UI layer i.e. Use Webdunia, Google Web Toolkit, or similar framework, which removes all the HTML, Javascript, etc. so that the developers working on UI can see and feel, or create a new page, or page To modify It is not particularly important to consider the implications of protecting your changes.

This is particularly important because most developers do not know the reasons for the security of their changes, so due to lack of knowledge / experience to overcome them Rescue will help. This protects common errors that developers make - finally, we know that the code is always bug.

It is also very beneficial in other ways. Utilizing the UI framework instead of scattering UI code makes maintenance easier, it looks at the UI and feels coherent. It looks and feels everywhere in the UI instead of the place everywhere. A bug - or a vuln - which exists because the original implementation was not correct, can be fixed at one place, the place was replaced everywhere.

In the interim, as long as you do not create a UI layer in your application, you should see OWASP's ESAPI that this proposal is a bolt-on-XSS protection. This is a good job, although it is very likely that it will break some functionality in your UI or will not protect some functionality in your UI. This is because it is not fully integrated with your application - it's on the bolt - so it's unlikely to be true.

No comments:

Post a Comment