how do i secure my api from Client site scripting attcaks or XSS attcaks?
we have a soap endpoint which is accessed by many clients and the incoming request data is to be validated for the correctness and security.
there is a chance that incoming request may have DOM object model or any suspicious data that breaks the application.
like below,
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:cus="http://www.abcxyz.com/aaa/bbb" xmlns:ws="http://www.abcxyz.com/aaa/bbb">
<soapenv:Header>
**<cus:id>
<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>
</cus:id>**
</soapenv:Header>
<soapenv:Body>
<cus:cancelRequest>
<!--Optional:-->
<ws:transactionId>10000</ws:transactionId>
<ws:systemId>CCC</ws:systemId>
<ws:userId>USER_NAME</ws:userId>
<cus:cancelElements>
<cus:elementType>NAME</cus:elementType>
<cus:elementId>AB123</cus:elementId>
</cus:cancelElements>
</cus:cancelRequest>
</soapenv:Body>
</soapenv:Envelope>
if there is any attacks from a hacker by passing maliciouse data as part of request parameters then i need to handle it and thro an error or don't allow the data to get processed.
The solution for this is ,you have to write an XSD(schema Definitions) file and this XSD should be able to validate against the element in above mentioned xml file.
Answer: You have to import a package import javax.xml.*; . In that you will be able to validate your xml file against you xsd .
For example : Employee.xsd EployeeRequest.xml
Employee.xsd
<simpleType name="Imei">
<annotation>
<documentation>A string representing the IMEI number. An IMEI will be of 15 digit.</documentation>
</annotation>
<restriction base="string">
<pattern value="\d{15}"/>
</restriction>
validateXMLSchema("Employee.xsd", "EmployeeRequest.xml"));
For reference click here.