XSS-Proofing Your Java EE, JavaServer Pages, and JavaServer Faces Applications
TS-4374

Cross-site scripting (XSS) allows a complete takeover of the victim's Web browser and has overtaken the buffer overflow as the most prevalent application security problem. More than 70% of Java technology-based Web applications still have XSS issues. This session -- for Java Platform, Enterprise Edition (Java EE platform) developers and architects, particularly those focusing on the presentation layer -- explores all the different browser contexts in which XSS is possible, including HTML attributes, style blocks, URLs, event handlers, and more. Each of these contexts has a different escaping/encoding syntax that must be followed to prevent XSS attacks. The presentation provides a framework for using escaping to truly make XSS impossible and also demonstrates a free Open Web Application Security Project (OWASP) tool for analyzing your current JavaServer Pages and JavaServer Faces technology-based libraries to evaluate their susceptibility to XSS attack.

In the session, you will learn

• How real-world XSS attacks work
• Why input validation is only a partial defense
• How to properly escape/encode output for all the browser contexts
• How to integrate escaping/encoding into your framework
• How to analyze component libraries for XSS vulnerability