Tuesday, December 01, 2009

Secure applications with JSF JSF2 XSS

Securing web-applications with JSF2 is lot more easier. Java EE provides a lot of security features.Lets examine these features under the context of OWASP top Ten actually try to hack the application and analyze the results.

XSS or CrossSite Scripting : Protection against XSS is inbuilt and available by default. I have created sample application using Netbeans. It has a kool code generator for jsf2 crud operations.

Jsf code to display a field. <h:outputText value="#{item.description}" />

Lets inject XSS vector from http://ha.ckers.org/xss.html .

Result after injecting javascript into description fields

ProductListWithEscape

Note that the javascript is displayed in the table as is. It is not executed. Another screen shot with IE

ProductListWithEscapeIE

I got similar result with Chrome.

Modified the jsf not to handle XSS <h:outputText value="#{item.description}" escape="false"/>

Popup in FireFox

ProductListWithOutEscapeFF

Hacked Result in FF

ProductListWithOutEscapeFF2

Hacked Result in IE

ProductListWithOutEscapeIE

Hacked Result in Chrome, Interestingly Chrome was not able to render the page.

ProductListWithOutEscapeChrome

Conclusion jsf provides XSS protection by Default. I soon present results of more attacks.