Tuesday, December 01, 2009

Secure applications with JSF JSF2 XSS

Securing web-applications with JSF2 is lot more easier. Java EE provides a lot of security features.Lets examine these features under the context of OWASP top Ten actually try to hack the application and analyze the results.

XSS or CrossSite Scripting : Protection against XSS is inbuilt and available by default. I have created sample application using Netbeans. It has a kool code generator for jsf2 crud operations.

Jsf code to display a field. <h:outputText value="#{item.description}" />

Lets inject XSS vector from http://ha.ckers.org/xss.html .

Result after injecting javascript into description fields


Note that the javascript is displayed in the table as is. It is not executed. Another screen shot with IE


I got similar result with Chrome.

Modified the jsf not to handle XSS <h:outputText value="#{item.description}" escape="false"/>

Popup in FireFox


Hacked Result in FF


Hacked Result in IE


Hacked Result in Chrome, Interestingly Chrome was not able to render the page.


Conclusion jsf provides XSS protection by Default. I soon present results of more attacks.


吳心美 said...

IS VERY GOOD..............................

Boxing Trader said...

Hi, very good findings on JSF2. Appreciate your effort. :)