Hi all, As some of you may know I've spent some time researching how to apply Aspect Oriented Programming (AOP) to web application security. I haven't been able to spend as much time on the topic as I'd like, but I was able to come up with a proof of concept for Java EE applications.
I created an HTML encoding aspect using AspectJ that automatically encodes all dangerous data within a Servlet or JSPs prior to printing to stream. The net result is a tool that should effectively stop the vast majority of XSS attacks on many existing Java EE apps with only a few lines of code. Although I still need to test thoroughly, with the proof of concept I was able to secure WebGoat from nearly all server-side XSS with about 16 unique lines of code in one file. I was also able to protect Daffodil CRM from thousands of XSS vulns with about 3 unique lines of code in one file. Now the catch(es): -The proof of concept hasn't undergone any rigorous testing. Moreover, I don't have done any performance testing. -The proof of concept won't currently work with tag libraries but we will be able to extend it to automatically HTML encode data in JSTL and other common tag libraires. -The proof of concept only performs HTML encoding, it does not perform JavaScript or HTML Attribute encoding -The library will only ever protect against Java EE server-side code, it will never protect against client-side DOM-based XSS or XSS where HTML encoding is an insufficient protection Right now I'm looking for help from people who can critique the design for holes, test the proof of concept, etc prior to releasing the tool to the public in an open source library. If you're interested in this or would simply like to know more, please ping me. I haven't set the AOP Security library up as a project in a code repository yet but I intend to do so after I've had a few other people look over the proof of concept. Thanks, Rohit -- Rohit Sethi Security Compass http://www.securitycompass.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
