Preventing SQL Injection and XSS Attacks

Preventing SQL Injection:

Main reason behind sql injection: SQL query acting as a mediator in between the application and database is unable to differentiate the user submitted value and the actual query.

In order to prevent sql injection our query must have a capability to differentiate the user submitted value and the actual query. This can be achieved by using Parametrised query or Stored Procedures instead of ordinary statements.

SQL Query Vulnerable To SQL Injection
SQL Injection Prevention By Using Prepare Statement

Illegal Use Of Prepare Statement Makes Your Application Still Vulnerable To SQL Injection.

The below scenario depicts the illegal use of prepare statement.

Preventing XSS Attacks:

XSS — Cross Site Scripting:

XSS involves exploiting the trust that the user have on a company’s website. Example: Any data that is shown on the internet banking site to the user is going to be trusted by the user. If an attacker controls the data that is displayed on the internet banking site then he can lure the user to click malicious links leading to phishing/session hijacking attacks.

There are 3 types of Cross Site Scripting attacks. They are Stored or Persistent XSS attack, Reflected XSS and DOM Based attack. Let us look into the details of each attacks below.

  1. Stored or Persistent XSS:

Values submitted by the user are directly stored in the database without sanitising the input and while retrieving the malicious input if displayed directly without escaping HTML/JavaScript characters in the browser, then the retrieved script will get executed making the application vulnerable to Stored XSS

2. Reflected XSS:

The Classic example for this is search bar which displays the searched text in the results page. When a user searches for a malicious input and if the input is not HTML/JavaScript escaped then the browser will render and execute the script making the application vulnerable to Reflected XSS

3. DOM Based XSS:

If an application directly retrieves the data from the url and displays it in the page then it makes the application vulnerable to DOM Based XSS.

Prevention:

HTML characters must be encoded so that the browser will not render and execute the user submitted HTML and script tags.

There is a library package available in OWASP for encoding HTML tags and it can be downloaded from OWASP website. The name of the library file is ESAPI.jar

Once downloaded you have to use it in your application wherever it is required to escape html characters.

Step 1:
Add the jar file in your WEB-INF library folder as shown in the image below

Step 2:

Import the library file in your java file in order to make use of the functions present in the ESAPI jar

Step 3:

Escape the html characters by using the encoder functions in ESAPI jar. Here am going to use ESAPI.encoder().encodeForHTML(arg0) function for escaping the html characters submitted by the user.

Step 4:

Before processing the data here we have escaped all the HTML characters using ESAPI.encoder().encodeForHTML(arg0) which makes our application free from XSS

If an application is vulnerable and multiple scripts have been injected in the database then while retrieving and displaying the data makes the application vulnerable to XSS. Therefore JSP pages has to encode the data and escape the HTML tags before displaying it to the user.

Adding escape functions in JSP Page:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store