3

I have scan my application in HP fortify portal and getting an issue Cross-Site Scripting: Poor Validation (Input Validation and Representation, Data Flow).

I am already using ESAPI library.

What should I do to solve this issue. Is there any other library/jar to validate the inputs.

Thanks in advance.

Shruti
  • 47
  • 1
  • 2
  • 7

3 Answers3

4

Fortify "Cross-Site Scripting: Poor Validation" is complaining that your OUTPUT encoding is either improper or not effective. The purpose of the output encoding (escaping) is to confine the special characters (meta char) as literal string, so they cannot be executed as a command.

To remediate, you do:

Step#1. Determine who is going to consume this "to be encoded context"?

Step#2. Properly Encode the context based on the delivery protocol and the down stream needs. For example:

  • If data being consumed at the [?query] part of the URL, you need to find a function to wrap (aka encode, escape) 18 reserved characters (! * ' () ; : @ & = + $ , / ? #[]) that have special meaning to the HTTP protocol (not necessary encode the entire URL). (read RFC3986 Sec 2.2 for details)
  • IF data being consumed as an XML Entity, you need to encode 5 meta characters (& < > " ') (check W3C XML Spec Sec 2.4). But, this is not always true. Data used as comment, the processing instructions, or in CDATA section don't need to be encoded.

Step#3. Collect encoding examples for future pick and use:(sorry, when post as code, some contents changed, so post as image)

need to consider overhead of ESAPI library, is it worth to load 30 MB jar for one fix?
enter image description here

enter image description here

Output encoding using light weight org.owasp.encoder library

enter image description here

user1836982
  • 493
  • 4
  • 8
0

This happens when you're using encoding to prevent XSS. If you weren't encoding you would get a critical XSS finding. Since you're encoding, it's moved to a medium. To fully prevent XSS, you would want to use the proper encoding given the context and then make sure your inputs are being validated. There are libraries out there that can help, such Apache Struts Validator, but even then Fortify will not be able to accurately determine whether your input validation is sufficient. Static analysis products can't determine the type of data inside a variable, so there's really no good way to check for proper validation. What you want to do is validate the input and once you're certain the finding is satisfied with encoding and input validation, you can suppress the finding.

After you've written the validation methods you can store them in a jar file and then write custom rules for Fortify so that it knows those methods provide XSS validation. This issue would not occur in future scans. Check out Dataflow Cleanse Rules in the Fortify Custom Rules Guide.

Eric
  • 550
  • 2
  • 9
0

Fortify understands ESAPI libraries very well so can you please tell me which function of ESAPI lib you are calling at inout and output call ? you can refer https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet for various context and validation you have to use for XSS and based on the context you need to use the ESAPI functions.

In your case you're using simple encoding that is not an accurate solution so though fortify has reduce the severity but still its an issue so please use the correct ESAPI function at source and sink. Fortify should not flag an issue then. And still if you see it then create a custom rule as said in another answer.

SecurityNinja
  • 99
  • 3
  • I have used ESAPI.encoder() to encode the value. Am I going on right way? – Shruti Feb 17 '16 at 10:06
  • sorry was travelling , that is not correct , you need to use encoding as per your context ...I can see other user has answered it in detail ..which looks like a perfect solution. – SecurityNinja Mar 07 '16 at 05:12