Editor's note: IBM® WebSphere® sMash and IBM WebSphere sMash Developer Edition are based on the highly acclaimed Project Zero incubator project. Project Zero is the development community for WebSphere sMash and will continue to offer developers a cost-free platform for developing applications with the latest builds, the latest features, and the support of the community.

Introduction to ACF

As part of the introduction to ACF, you should first understand what Project Zero is. The following is a quote taken from the Project Zero Web site:

“Project Zero is an incubator project started within IBM® that is focused on the agile development of the next generation of dynamic Web applications. Project Zero introduces a simple environment for creating, assembling, and executing applications based on popular Web technologies. The Project Zero environment includes a scripting runtime for Groovy and PHP with application programming interfaces optimized for producing REST-style services, integration mash-ups, and rich Web interfaces.”

Because Project Zero's main target is the next generation of dynamic Web applications (typically categorized under the Web 2.0 umbrella), this article focuses on interactive Web applications that contain user-provided content, such as mashups, wikis, and blogs. To support these applications, Project Zero provides ACF as a library that application developers can include as part of a Zero application. ACF provides developers a method for limiting exposure to issues such as cross-site scripting, which can occur in these types of applications (see Resources for a link to a description of cross-site scripting).

About the examples

Author's note: When this article was originally written, ACF required the application developer to either use the declarative approach (defining explicit rules in the application's zero.config) or programmatic approach (using the provided APIs) to leverage the power of ACF. Based upon feedback from the Project Zero community and readers of this article, the development team was able to provide some default level of ACF protection for the following scenarios (requires zero.acf to be added as a dependency):

• Request parameters. Removes active content (such as JavaScript, Applet, and ActiveX objects) from all inbound request parameters sent to any URI. These parameters are treated as HTML fragments.
• JSON Content Request: Remove active content from all String values in an inbound JSON object sent to any URIs. In this case, all content types are targeted.
• JSON Content Response: Remove active content from all String values in an outbound JSON object sent by any URIs. In this case, all content types except for "text/html" are targeted.

To disable the enablement of ACF by default, the following configuration option is included the sample application's zero.config"/config/acf/enableByDefault=false" Because there will be cases where the enablement by default may not meet the requirements of the application, we will keep this article focused on the declarative and programmatic approaches to leveraging ACF. Where applicable, the sections of the article that could have leveraged the enablement by default flag will be denoted.

The examples provided with this article are designed to demonstrate ACF from a simple, base-use case through subsequent, increasingly complex use cases. The examples are designed to build upon what was demonstrated in each prior example. Following is a summary of the examples, each of which is described in more detail in the following sections:

• Example 1 is a basic Ajax-enabled page that allows users to post comments to an article received from an external location. This example demonstrates what would happen in the case that active content — such as JavaScript — is included in a user comment or the article.
• Example 2 builds upon Example 1 but includes support for the ACF library. This example demonstrates how ACF filtering works when active content — such as JavaScript — exists in the article.
• Example 3 builds upon Example 2 but includes support for ACF filtering of request parameters. This example demonstrates how ACF filtering works when active content — such as JavaScript — is included in a user comment.

You can download this sample application from the Download section of this article to get the hands-on experience of enabling the features of ACF. Mimicking a Web news aggregation and blogs application, the sample application allows you to post comments on today’s news to the server, which in turn displays the comments back to the other viewers. As shown in Figure 1, the top of the page displays the result of the news aggregation, where you can see the potential malicious content (the blinking red text) being injected. Clicking the Original source of the news title pane shows you the original HTML content of the news aggregation. You can also post comments at the bottom text area Enter your comments here, which is displayed instantly in the All comments area after clicking the Post your comment button.

We use the latest Web 2.0 platform from IBM, Project Zero, to build the server-side component. The sample application front end is using the emerging Dojo and Ajax technologies.

Project Zero provides ACF support through the zero.acf library, which has been configured as one of the application dependencies in the ivy.xml file. Included in this article is a zip file containing the sample application (named ACFSampleApp-1.0.0.zip). Using your favorite zip utility, unzip the resource to your preferred location on disk.

For command line users:

1. Install the IBM WebSphere sMash command line utility per the instructions on the WebSphere sMash Web site (see Resources).
2. Go to the directory where you unzipped the sample application.
3. Start the application with zero start.

For application builder users:

1. Install the IBM WebSphere sMash command line utility per the instructions on the WebSphere sMash Web site (see Resources).
2. Start the application builder by navigating to the zerodirectory (where the CLI was installed) and running the "startAppBuilder" script.
3. Install the OpenID demo application from the WebSphere sMash repository using the "Browse Applications" link on the left hand side of the panel.
4. Start the application by clicking on the play button associated with the ACFSampleApp application (see Download).

Next, direct your browser to http://localhost:8080 to test the sample application.

Scenario 1: ACF response filtering

The first scenario is preventing malicious content using ACF response filtering. ACF response filtering strips active content, such as JavaScript, from the response message based upon a set of filter rules (described later in this article). When you run the sample application, you can see that the news header at the top of the page has been injected with the blinking malicious text, which originated from some active content (JavaScript code) from the first news feed. You can view the news feed source by clicking the Original source of the news title pane, as shown in Figure 2:

Now, let’s see how you can prevent this malicious text from damaging your application using ACF response filtering. ACF response filtering is controlled through the zero.config configuration file. You need the following entry to enable ACF response filtering (see Listing 1):

                
# ACF filter rule
@include "${/config/dependencies/zero.acf}/config/acf.config"{
	"conditions" : "/request/path =~ /resources/newsViewer(.*)"
}

The sample provides this configuration. To enable ACF, simply uncomment this section in the zero.config file and restart the Project Zero server. Shown in Figure 3, these two lines of configuration properties simply tell the ACF engine to filter out any active content for the response originated from URI /resources/newsViewer using the default predefined rule set provided with ACF.

When you run the application again, you don’t see the annoying blinking text anymore.

Scenario 2: ACF request filtering

Collaboration with and participation in Web 2.0 themed applications often let users enter or post content to the hosting server. This introduces a security issue when malicious content (JavaScript, for example), is rendered by the server. In the sample application, the user can post comments to the server. To demonstrate the threat of malicious script, enter the text from Listing 2 in the Enter comments area:

                
<script>alert("You are under attack!")</script>

Click the Post your comment button. You will see that the All comments result area is empty, and you get the annoying JavaScript pop-up instead.

So, how do you filter the HTTP request and prevent the malicious JavaScript attack? ACF provides a powerful set of APIs to accomplish this. The APIs tell you if active content, such as JavaScript, is included in HTTP request parameters based upon a set of filter rules. If active content is found, you can throw an appropriate exception or use another library from Project Zero called XMLEncoder, which encodes the active content so that it is not able to be executed during run time. In our example, the server-side component that handles the incoming comment POST request is the commentHandler.groovy class. This is where you add the ACF request filtering code. You can simply uncomment the code provided with the sample to enable this feature, as shown in Figure 4:

You don’t need to restart the Zero server this time to test the feature. Reload your application page and post the same JavaScript in the comment area. Obviously, you can’t post the harmful content anymore, as shown in Figure 5:

Author's note: The scenario described above is an ideal use case for ACF enablement by default. In this scenario, the user is POSTing active content via a JSON encoded message that matches the JSON Content Request scenario described above. In this scenario, the malicious portion of the JSON string would be removed from the JSON value prior to providing the application with the decoded JSON data.

Client-side filtering

Thus far, you have seen the power ACF wields in preventing a malicious attack, primarily in the server side. To further enhance the security of your applications, you may consider using some client-side encoding features introduced by certain modern JavaScript libraries, such as the Dojo framework. Dojo's rich text editor, for example, automatically encodes user input into HTML code that is relatively safe to consume. Note: Although client-side encoding is very useful, it does not replace the ACF filtering done on the server side because users can circumvent what is done on the client side without much effort.

The sample application provides a Dojo-based rich text editor. To test the application, direct your browser to http://localhost:8080/clientfilter.gt. As demonstrated in Figure 6, the JavaScript posted via the Dojo editor has been encoded before sending to the server. Thus, the posted content will not be interpreted as active JavaScript by the browser.

Author's note: The scenario described above is an ideal use case for ACF enablement by default. In this scenario, the user is POSTing active content via a url encoded form message that matches the Request parameters scenario described above. In this scenario, the malicious portion of the request parameter value would be removed from the request parameter prior to the application being able to access the request parameters.

Conclusion

You've seen how ACF provides increased flexibility for application deployment by enabling applications to filter active content without requiring developers to make significant changes to the applications. This increased flexibility allows applications to be better isolated from active content concerns, such as cross-site scripting (XSS), which, unfortunately, is a common attack on many Web 2.0 applications. Give the sample application a try and provide us with your feedback on the Project Zero forum (see Resources).

Back to top

Download

Information about download methods

Resources

Learn

• Refer to Project Zero Documentation for all the documents associated with this project, including FAQs, tutorials, and demos:
  • Peruse the Project Zero installation instructions.
  • Take a look at an Employee Demo sample PHP application.
  • You'll find the Developer's Guide a valuable asset to your Project Zero toolkit.
  
  
• Learn more about cross-site scripting attacks on Wikipedia.
  
  
• Learn more about Project Zero Active Content Filtering.
  
  
• Explore Project Zero XML Encoding.
  
  
• Join the Project Zero community and see what all the buzz is about!
  
  

Get products and technologies

• Get the Project Zero Eclipse plug-in, which includes an installer to download additional Zero runtime libraries from a Zero package repository after installation.
  
  
• Download Project Zero and start applying the skills learned in this article.
  
  

Discuss

• Check out developerWorks blogs and get involved in the developerWorks community.
  
  
• Participate in the projectzero.org discussion forum.
  
  

About the authors

Todd Kaplinger is a senior software engineer in IBM Software Group, currently working as architect and team lead of the Security team for Project Zero. Todd is an expert in Web-based technologies such as JSP, Servlet, and PHP, with a recent focus on emerging Web 2.0 technology and its impact on the enterprise. Todd is currently a member of the expert group responsible for JSR 223: Scripting for the Java Platform and is also a member of the Open AJAX Alliance with an interest in interoperability between various Ajax framework implementations on security. Todd acted as team lead and architect of IBM WebSphere Webcontainer and Remote Request Dispatcher (RRD) project and participated in the JSR 154 Servlet 2.5 specification as the IBM representative in the Servlet Expert group.

Masayoshi Teraguchi is a research staff member at the IBM Tokyo Research Laboratory. Masayoshi has studied XML, Web Services, and Web Services Security (WSS) for the past 5 years. His current research interests include Web 2.0 security and performance.

Gang Chen is a certified consulting I/T specialist in IBM Software Services for WebSphere (ISSW). Gang is an expert in helping enterprise customers with their e-business application design and implementation. Recently, he's focused on the emerging Web 2.0 technology to bring value to the enterprise customers. He is also one of the authors of the IBM Redbook "IBM WebSphere Application Server V6 Scalability and Performance Handbook."

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Introduction to ACF
• About the examples
• Scenario 1: ACF response filtering
• Scenario 2: ACF request filtering
• Client-side filtering
• Conclusion
• Download
• Resources
• About the authors
• Comments

Next steps from IBM

Easily build dynamic Web page capabilities with the powerful Open Source Dojo programming and WebSphere Portal.

---

• Try: Save valuable time with easily tailored WebSphere Portal out-of-the-box Internet and intranet example sites.
• Article: Use these advanced Ajax techniques to create dynamic, cooperative portlets with the Dojo toolkit and WebSphere Portal.
• Tutorial: This tutorial takes you through the steps to enable drag-and-drop functionality using WebSphere Portal.
• Buy: WebSphere Portal express

My developerWorks community

Dig deeper into Web development on developerWorks

Rate a product. Write a review.

Write a review for Rational products today!

Special offers