Home > Uncategorized > Tomcat 7 introduces cross site scripting

Tomcat 7 introduces cross site scripting

January 28th, 2011 Leave a comment Go to comments

Good news for those of you who had been waiting on Tomcat 7. A stable release has been announced for Tomcat 7. There has been another feature which has made its way into Tomcat 7 and has been back ported into earlier versions of tomcat and that is cross domain scripting

We had talked  in details about cross domain scripting issues and how to fix it. Developers should be careful when using cross domain scripting.

Mark Thomas, SpringSource Employee and member of the Apache Security Committee, shares some of the insight behind the new cross-site script (XSS) protection feature introduced into Tomcat 7, 6 and 5 through this latest release effort.

In describing the problem, Mark explains:

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM’s DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

To address this threat, a few cross-site scripting issues have been fixed in Tomcat 7. The ASF has used an unofficial, yet widely supported, extension to the Cookie specifications – httpOnly cookies.

For Tomcat installations that support multiple web applications, it is possible to configure this context element globally, or individually for specific applications. The value set in the context.xml for individual web application will override anything configured for global defaults. For instance:

  • Setting useHttpOnly to true in the $CATALINA_BASE/conf/context.xml file will turn on cross-site script protection for all webapps.
  • Setting useHttpOnly to false in the $CATALINA_BASE/conf/[enginename]/[host]/context.xml.default file will over-ride the script protection for all webapps of that host.

You can find the detailed post here

Categories: Uncategorized Tags:
  1. October 25th, 2012 at 20:52 | #1

    this is so bored to be on lol

  1. No trackbacks yet.