1. Development Security Guide
  2. Cross-Site Scripting (XSS)

2.3 Cross-Site Scripting (XSS)

XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. Oracle Banking Trade Finance is coded keeping in view the XSS prevention rules as below:-
  1. Technique#1—HTML Escape before inserting untrusted data into HTML element content

    Across the Oracle Banking Trade Finance application, context specific escaping has been used to sanitize the untrusted data. For HTML content, the below function takes care of escaping the probable tainted data:

    public static String escapeHTML(String input);

    Escaping the following characters, with HTML entity encoding, to prevent switching into any execution context, such as script, style, or event handlers has been done. Use of recommended hex entities is in place. In addition to the 5 characters significant in XML (&, <, >, ", '), the forward slash is included as it helps to end an HTML entity.

    & --> &amp;

    < --> &lt;

    > --> &gt;

    " --> &quot;

    ' --> &#x27;

    / --> &#x2F;

  2. Technique #2-- JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values Including untrusted data inside any other JavaScript context is quite dangerous, as it is extremely easy to switch into an execution context with characters including (but not limited to) semi-colon, equals, space, plus, and many more. For JavaScript context, the below function takes care of escaping the probable tainted data:

    public static String escapeJavaScript(String input);

  3. Technique #3—Escape JavaScript Characters

    This works in conjunction with rule#2. Except for alphanumeric characters in Oracle Banking Trade Finance, all characters less than 256 are escaped with the \xHH format to prevent switching out of the data value into the script context or into another attribute. No use of any escaping shortcuts like \" ,because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \\" which enables the quote.

  4. Technique #4--URL Escape And Strictly Validate Before Inserting Untrusted Data into HTML URL Parameters.

    Oracle Banking Trade Finance encodes URL with the URLEncoder java class. It doesn’t check for a valid URL, but directly does URL encoding, and that encoding is based on the context of display.

  5. Technique #5---Use of HttpOnly and secure cookie flag

    Oracle Banking Trade Finance uses the HTTPOnly flag on the session cookie and any custom cookies that are not accessed by any JavaScript.