Page Comparison

 A3 Cross-Site Scripting (XSS)

...

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary

A 3.1 Defenses:

Encode untrusted data:

...

A 3.2.1 Java-html-sanitizer

 https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project

...

If you are using Maven then follow the the maven directions directions to add a dependency. Otherwise,  download prebuilt jars or git ;or;git clone git@github.com:OWASP/java-html-sanitizer.git and git;and build the latest source.

Unless maven is managing your CLASSPATH for you, you need to add both owaspboth owasp-java-html-sanitizer.jar and jar and the Guava JAR.

Once you have your CLASSPATH set up correctly with the relevant JARs you should be able to addimport org.owasp.html.HtmlPolicyBuilder;to one of your project's .java files s;.java;files and compile it.If you are using Maven then follow the maven directions to add a dependency. Otherwise, download prebuilt jars or git clone git@github.com:OWASP/java-html-sanitizer.git and build the latest source.

Unless maven is managing your CLASSPATH for you, you need to add both owaspboth owasp-java-html-sanitizer.jar and jar;and the Guava JAR.

https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/UrlTextExample.java

A 3.2.2 OWASP Java Encoder

...

HTML Content Context

<textarea><%= Encode.forHtmlContent(UNTRUSTED)&nbsp;%></textarea>

HTML Attribute context

<input value="<%= Encode.forHtmlAttribute(UNTRUSTED)&nbsp;%>"

Generally EncodeGenerally Encode.forHtml(UNTRUSTED)  is is also safe but slightly less efficient for the above two contexts (for textarea content and input value text) since it encodes more characters than necessary but might be easier for developers to use.

CSS contexts

...

<div style="width:<= Encode.forCssString(UNTRUSTED)

...

%>">

...

<div style="background:<= Encode.forCssUrl(UNTRUSTED)

...

%>">

...

*Javascript Block context

...

;

<script>

var msg = "<%= Encode.forJavaScriptBlock(UNTRUSTED)&nbsp;%>";
alert(msg);
</script>

*Javascript Variable context

...

Code Block
<button&nbsp;&nbsp;<button onclick="alert('<%= Encode.forJavaScriptAttribute(UNTRUSTED)&nbsp;%>');">click me </button> h5.

JavaScript Content Notes:

...

Code Block
Encode.forJavaScript(UNTRUSTED)

...

;

Is safe for the above two contexts, but encodes more characters and is less efficient.

Encode URL parameter values

<a href="/search?value=<%= Encode.forUriComponent(UNTRUSTED)&nbsp;%>&order=1#top">

Encode REST URL parameters

<a href="/page/<%= Encode.forUriComponent(UNTRUSTED)&nbsp;%>">

Handling an Full Untrusted URL

When handling a full url with the OWASP Java encoder, first verify the URL is a legal URL.

String url = validateURL(untrustedInput);

Then encode the URL as an HTML attribute when outputting to the page. Note the linkable text needs to be encoded in a different context.

&nbsp;<a href="<%= Encode.forHtmlAttribute(untrustedUrl)&nbsp;%>">
<%= Encode.forHtmlContent(untrustedLinkName)&nbsp;%>
</a>

To use in a JSP with EL

<%@page contentType="text/html" pageEncoding="UTF-8"%>

<\!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"&nbsp;"http://www.w3.org/TR/html4/loose.dtd">
<%@taglib prefix="e" uri="https://www.owasp.org/index.php/OWASP_Java_Encoder_Project"&nbsp;%>
<html>
&nbsp;&nbsp; <head>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<title><e:forHtml value="${param.title}" /></title>

&nbsp;&nbsp; </head>
&nbsp;&nbsp;
<body>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <h1>${e:forHtml(param.data)}

</h1>
&nbsp;&nbsp;
</body>

</html>

Other contexts can be found in the org.owasp.Encode class methods, including CSS strings, CSS urls, XML contexts, URIs and URI components.

...

https://github.com/cure53/DOMPurify

A 3.2.4 MentalJS

MentalJS is a JavaScript parser and sandbox. It whitelists JavaScript code by adding a "$" suffix to variables and accessors.
https://github.com/hackvertor/MentalJS

A 3.2.5 OWASP JSON sanitizer

https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Input

A 3.2.6 Third Party Javascript Management Cheat Sheet

https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet

A 3.3 AJAX Security Best Practices:

• 1.1 Client 1 Client Side (Javascript)
• Use .innerText instead of .innerHtml
• Don't use eval
• Canonicalize data to consumer (read: encode before use)
• Don't rely on client logic for security
• Don't rely on client business logic
• Avoid writing serialization code
• Avoid building XML or JSON dynamically
• Never transmit secrets to the client
• Don't perform encryption in client side code
• Don't perform security impacting logic on client side
  • 1.2 Server 2 Server Side
  • Protect against JSON Hijacking for Older Browsers
    • Use CSRF Protection
    • Always return JSON with an Object on the outside
    • Avoid writing serialization code. Remember ref vs. value types!
    • Services can be called by users directly
    • Avoid building XML or JSON by hand, use the framework
    • Use JSON And XML Schema for Webservices
      

...

If these contain unvalidated user input, the application is vulnerable when used with application frameworks that cannot detect this issue.
If the application has to use user-supplied input in HTTP headers, it should check for double "\n" or "\r\n" values in the input data and eliminate it.
Many application servers and frameworks have basic protection against HTTP response splitting, but it is not adequate to task, and you should not allow unvalidated user input in HTTP headers.

A 3.5. General Recommedations:

A 3.5.1 Avoid nested context

...

• JS encode first
• HTML attribute encode second

  Code Block

...

• Encoder.encodeForHtml(Encoder.encoderForJavaScript(request.getParameter(error)));

...

A 3.5.2 Encode every variable before showing to user

a href="%=Encode.forHTMLAttribute(UNTRUSTED_URL)%>">

Encode.forHTMLcontext(URL)

3.5.3. Safe way to populate DOM

elem.textContent

formfield.value
document.createTextnode

3.5.4 Safe JSON parsing

JSON.parse()

Do not use eval()

3.5.5  jQuery jQuery most unsafe ways to populate data.html

.before

3.5.6 jQuery safe ways to populate data

.text(UNTRUSTED_DATA)

.val(UNTRUSTED_DATA)
\\

3.5.7 Sandboxing

JavaScriptECMAScript
Object.seal ( O )

When the seal function is called, the following steps are taken:
1. If Type(O) is not Object, return O.
 2 2. Let status be Set Integrity Level( O, "sealed").
3. Return IfAbrupt(status).
4. If status is false, throw a TypeError exception.
5. Return O.

Reference: www.ecmascript.org

iFrame Sandboxing (HTML5)
\\
<iframe src="demo_iframe_sandbox.jsp sandbox="">

</iframe>

Allow-same-origin, allow-top-navigation, allow-forms, allow-scripts

3.5.8. HTML Response Headersx-xss-protection:0-1 (mode=block1; 1; mode=block)*

xframe-options:
DENY (prevent any domain from framing your page),
SAMEORIGIN (only allows the current site to frame your page)*** ALLOW FROM X
Set X-Frame-Options to SAMEORIGIN to stop framing and limit clickjacking. Must be added to response header because  because x-frame-option http request headers does nothing.
x-content-type-options: nosniffTo stop guessing of mime type, applies to IE and Chrome
Implement x-content-security-policyx-content-security-policy
Powerful mechanism for controlling which sites can execute JS, current standard.
Implement secure headers:
allow-control-allow-origin, xdomain use image
strict-transport-security, forces browser to use https, critical
cache-control: no-store, no-cache, must-revalidate, expiresz; -1 (expire in the past)

References: [https://github.com/twitter/secureheaders|https://github.com/twitter/secureheaders
]\

3.5.9 Output encoding

JSF output components filter output and escape dangerous characters as XHTML entities

<h:outputText&nbsp; Value="#{param.name}"/>
  

3.5.10 XXE prevention

Set the IS_SUPPORTING_EXTERNAL_ENTITIES property in xalan to FALSE:

XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);

Set the IS_SUPPORT_DTD property in xalan to FALSE:

XMLInputFactory factory = XMLInputFactory.newInstance();

factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);

http://web-in-security.blogspot.in/2016/03/xxe-cheat-sheet.html

...