Security Information for Portlet Developers

SQL Injection

Definition of SQL injection from OWASP:

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

Jasig recommends using an ORM framework such as Hibernate or Hibernate-backed JPA to manage database interactions. Most current Jasig code currently uses Hibernate-backed JPA annotations.

Code which does not use an ORM framework should at least make use of prepared statements.

Cross-site Scripting (XSS)

Definition of cross-site scripting from OWASP:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

JSTL fn:escapeXML tag

JSTL 1.2 introduces a function that can be used to escape XML within a variable. This strategy can effectively escape script elements injected into HTML, though it is not a suitable strategy for escaping content within JavaScript strings.

First, ensure that you're importing the functions tag library into your JSP page:

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>

To use the tag:

<div>The current group's name is ${ fn:escapeXml(group.name) }</div>

Spring escapeBody tag

Spring's escapeBody tag can be used to perform HTML and JavaScript escaping.

Escaping HTML:

<div>The current group's name is <spring:escapeBody htmlEscape="true">${ group.name }</spring:escapeBody></div>

Escaping JavaScript:

var groupName = '<spring:escapeBody javaScriptEscape="true">${ group.name }</spring:escapeBody>';

OWASP Anti-SAMY

The Manchester News Reader portlet uses OWASP Anti-Samy to clean dangerous tags from RSS feeds. This tool allows a developer to configurably strip HTML tags from proxied content.

Encryption of sensitive data

Most portlets should not need to store user passwords. However, for a portlet that does store potentially sensitive data, user data should be encrypted using some secure algorithm. Useful encryption resources might include Jasypt or Bouncy Castle.

Security resources