Saturday, December 21, 2013

ColdFusion AntiSamy library integration for XSS attack protection

I have already described what is XSS attack and few examples of XSS attack and how we can protect our application from those attacks in below posts:
Now, let's see what are the other advance types of XSS attack can affect our application and how we will prevent those attack.

In general prevention method we are preventing rendering of any HTML code inputted by a user but if our application really wants user to input HTML text then how we will prevent it?
Example:  In many applications we include Rich Text Editor(RTE) in our application and the final output of this RTE is nothing but html code and user who is having some wrong intention can easily attack your application.

We called this attack as "AntiSamy" attack, because Samy is the person who first discovered this attack. For more details about AntiSamy attack please go through this: OWASP AntiSamy Project

To prevent this attack OSWAP has released one library which will take your user input and clean the input to make it XSS safe string. This library is available in .NET and also in JAVA.

Let's implement the JAVA library in ColdFusion to prevent the attack.
You can download the full ColdFusion code with example in zip format from this link: Download ColdFusion Code.

This zip file contains following files:
- Application.cfc
- Application_CFC_for_CF9( Use this file as Application.cfc in case you are using ColdFusion 9 or lower version. Here we are using javaloader to load library which is not needed in CF10)
- index.cfm
- lib - This directory contains
     antisamy-1.5.3.jar                 - AntiSamy java library
     antisamy-slashdot-1.4.4.xml - AntiSamy filter settings file
- javaloader - This library used for loading java library for CF9 or lower version.

Let's review the code now:

In Application.cfc we are just loading java library using CF10 library loading method and creating an AntiSamy object on application start, so that we can use it through out the application by using that object.

Let's see index.cfm as below:

In index.cfm we are scanning the input  by using the library and getting clean HTML and also error by anti samy scanning. See the output below:
So, here we are getting clean html along with error messages by AntiSamy scanning. You can also define your own AntiSamy rules by modifying  antisamy-slashdot-1.4.4.xml.  For reference you can see other web site setting files available in AntiSamy library home here.

Hope now you can integrate this library in your application!!!

Download AntiSamy from its home on Google Code

No comments:

Post a Comment