XSS- Cross-site scripting in OFBiz/Opentaps

1. What is Cross Site Scripting?

Cross-site scripting (XSS) is a type of computer security vulnerability (Susceptibility to injury or attack) typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users.

2. What does XSS and CSS mean?

Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS) and cross site scripting. Some security people refer to Cross Site Scripting as XSS. If you hear someone say “I found a XSS hole”, they are talking about Cross Site Scripting for certain.

3. What are the threats of Cross Site Scripting?

Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to “Denial Of Service”, and potential “auto-attacking” of hosts if a user simply reads a post on a message board.

4. Why XSS is required:

Scripting via a malicious (unlawful motives) link

In this scenario, the attacker sends a specially crafted e-mail message to a victim containing malicious link scripting such as one shown below:

<A HREF=http://legitimateSite.com/registration.cgi?clientprofile=<SCRIPT>malicious code</SCRIPT>>Click here</A>

When an unsuspecting user clicks on this link, the URL is sent to legitimateSite.com including the malicious code. If the legitimate server sends a page back to the user including the value of client profile, the malicious code will be executed on the client Web browser as shown in.

Figure 1. Attack via e-mail

Stealing users’ cookies

If any part of the Web site uses cookies, then it may be possible to steal them from its users. In this scenario, the attacker files a page with malicious script to the part of the site that is vulnerable. When the page is displayed, the malicious script runs, collects the users’ cookies, and sends a request to the attacker’s Web site with the cookies gathered. Using this technique, the attacker can gain sensitive data such as passwords, credit card numbers, and any arbitrary information the user inputs as shown

Sending an unauthorized request

In this scenario, the user unknowingly executes scripts written by an attacker when they follow a malicious link in a mail message. Because the malicious scripts are executed in a context that appears to have originated from the legitimate server, the attacker has full access to the document retrieved and may send data contained in the page back to their site.
If the embedded script code has additional interactions capability with the legitimate server without alerting the victim, the attacker could develop and exploit that posted data to a different page on the legitimate Web server as shown in .

Solution:

Amicon technology has provided solution for XSS to many clients.

Below are the steps for developer reference to implement in OFBiz/Opentaps:

1>In web.xml put this block of code:

<filter>
<filter-name>CrossSiteScriptingFilter</filter-name>
 <display-name>CrossSiteScriptingFilter</display-name>
<filter-class>orgofbiz webapp.control.CrossSiteScriptingFilter</filter-class>
</filter>
<filter-mapping>
 <filter-name>CrossSiteScriptingFilter</filter-name>
 <url-pattern>/*</url-pattern></filter-mapping>

2> Replace scripting characters with html equivalents:
HTMLInputFilter.java – filter(prams)

This filter method is called from CrossSiteScriptingFilter.java which filters out the js code.