Autoscaping

What does this mean ?

Autoscaping, also known as autoescaping or automatic escaping, is a feature that automatically escapes special characters in user-supplied input to prevent security vulnerabilities such as cross-site scripting (XSS).

XSS attacks occur when an attacker injects malicious code, often in the form of JavaScript, into a web page. This code is executed by the browser when the page is loaded, allowing the attacker to steal sensitive information, perform unauthorized actions, or deface the website.

What can happen ?

• The attacker can use the injected code to steal sensitive information, such as login credentials or financial information, from the website or its users.
• The attacker can use the injected code to perform unauthorized actions on the website, such as deleting or modifying data.
• The attacker can use the injected code to redirect users to a different website, potentially exposing them to further attacks or phishing attempts.
• The attacker can use the injected code to launch a DDoS attack, overwhelming the website with traffic and rendering it unavailable to legitimate users.

Recommendation

• Use autoescaping functions.
• Use input validation and sanitization.
• Use content security policies.
• Use context-aware encoding.

Sample Code

Java

Vulnerable :

@WebServlet("/comments")
public class VulnerableCommentServlet extends HttpServlet {
    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
        // Get the user's comment from the request
        String comment = request.getParameter("comment");
        // Display the comment on the page without escaping special characters
        response.getWriter().println("<p>" + comment + "</p>");
    }
}

Non Vulnerable :

@WebServlet("/comments")
public class NonVulnerableCommentServlet extends HttpServlet {
    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException {
        // Get the user's comment from the request
        String comment = request.getParameter("comment");
        // Escape special characters in the comment
        String escapedComment = StringEscapeUtils.escapeHtml4(comment);
        // Display the escaped comment on the page
        response.getWriter().println("<p>" + escapedComment + "</p>");
    }
}

References

• https://cwe.mitre.org/data/definitions/79.html