Search code examples
javajsonxmlxssfortify

Fortify Cross-Site Scripting Persistent on Java Rest API response (JSON string & XML string)

I understand that to fix the cross-site scripting, I need to validate the user input and encode the output to avoid browser execute malicious data.

However my application is just a pure Rest API which return JSON string and XML string, fortify reported cross-site scripting persistent (stored) because the code will query data from db and return to the response

#Java Code
@PostMapping(path = "${api.abc.endpoint}")
public ResponseEntity processRequest(@RequestBody String requestStr,
  HttpServletRequest servletRequest) {

    ResponseEntity<String> response = null;
    String responseStr = "";
    responseStr = processRequest(requestString, servletRequest);

    response = ResponseEntity.ok().body(responseStr);

    return response; //response can be JSON or XML
}

#Original JSON Response
{
  "type":"order",
  "responseCode":"001",
  "responseText":"Success",
  "transDesc":"Value from DB"
}

#Original XML Response
<abc:res xmlns:abc="http://sample.com/abc/">
   <type>order</type>
   <responseCode>001</responseCode>
   <responseText>Success</responseText>
   <transDesc>Value from DB</transDesc>
</abc:res>

I try to encode the output string using the OWASP Java Encoder and I got the below encoded string which changed the response format.

#Encoded JSON Response
{\"type\":\"order\",\"responseCode\":\"001\",\"responseText\":\"Success\",\"transDesc\":\"Value from DB\"}


#Encoded XML Response

<data contentType="application/xml;charset=UTF-8" contentLength="241">
<![CDATA[&lt;abc:res xmlns:abc="http://sample.com/abc/"&gt;&lt;type&gt;order&lt;/type&gt;&lt;responseCode&gt;001&lt;/responseCode&gt;&lt;responseText&gt;Success&lt;/responseText&gt;&lt;transDesc&gt;Value from DB&lt;/type&gt;&lt;/abc:res&gt;]]></data>

How can I actually fix the cross-site scripting persistent in fortify for JSON string and XML string?

Thanks.

Solution

  • Fortify may be too eager to detect XSS as it assumes any data you produce could end up directly interpreted as HTML. Content sent back to the browser with XML or JSON content types aren't vulnerable to XSS by themselves though. Check that the content-type header being sent back isn't text/html.

    The issue may be that a client would read part of the response and output it as is onto the page. The encoding here would be the client's responsibility though as what encoding to use depends on the output context.

    Many client-side frameworks will HTML encode data as necessary by default. If you control the client, you should check whether it's doing its own encoding here.

    Input validation can help in general too. Either here or in related requests that are writing to the database. Input can be validated depending on what its content should be.