 | Level: Intermediate Todd Kaplinger (todkap@us.ibm.com), Project Zero Architecture & Development, IBM
Masayoshi Teraguchi (teraguti@jp.ibm.com), Research Staff Member, IBM
Gang Chen (gangchen@us.ibm.com), IBM Software Services for WebSphere, IBM
06 Nov 2007
Updated 29 Feb 2008 Dodge common Web 2.0-based application attacks, such as cross-site
scripting, and dramatically increase your Project Zero application's security using
Active Content Filtering (ACF). ACF is a resolvable component within Project Zero
that provides a library that can remove active content from request data (such as request parameters) and response output being sent to the client. Learn about the powerful capabilities of applying ACF to a Project Zero environment in which active content might exist.
Editor's note: IBM® WebSphere® sMash and IBM WebSphere sMash Developer Edition are based on the highly acclaimed Project Zero incubator project. Project Zero is the development community for WebSphere sMash and will continue to offer developers a cost-free platform for developing applications with the latest builds, the latest features, and the support of the community.
Introduction to ACF
As part of the introduction to ACF, you should first understand what Project Zero is.
The following is a quote taken from the Project Zero Web site:
“Project Zero is an incubator project started within IBM® that is focused on the agile development of the next generation of dynamic Web applications. Project Zero introduces a simple environment for creating, assembling, and executing applications based on popular Web technologies. The Project Zero environment includes a scripting runtime for Groovy and PHP with application programming interfaces optimized for producing REST-style services, integration mash-ups, and rich Web interfaces.”
Because Project Zero's main target is the next generation of dynamic Web applications
(typically categorized under the Web 2.0 umbrella), this article focuses on interactive Web applications that contain user-provided content, such as mashups, wikis, and blogs. To support these applications, Project Zero provides ACF as a library that application developers can include as part of a Zero application. ACF provides developers a method for limiting exposure to issues such as cross-site scripting, which can occur in these types of applications (see Resources for a link to a description of cross-site scripting).
About the examples
The examples provided with this article are designed to demonstrate ACF from a simple,
base-use case through subsequent, increasingly complex use cases. The examples are
designed to build upon what was demonstrated in each prior example. Following is a
summary of the examples, each of which is described in more detail in the following sections:
- Example 1 is a basic Ajax-enabled page that allows users to post comments to an
article received from an external location. This example demonstrates what would happen
in the case that active content — such as JavaScript — is included in a user comment or the article.
- Example 2 builds upon Example 1 but includes support for the ACF library. This example demonstrates how ACF filtering works when active content — such as JavaScript — exists in the article.
- Example 3 builds upon Example 2 but includes support for ACF filtering of request parameters. This example demonstrates how ACF filtering works when active content — such as JavaScript — is included in a user comment.
|
The Project Zero community
Take a stroll around the Project Zero Web site and see how Project Zero provides a powerful — but radically simple — development and execution platform for modern Web applications. The active community discusses project development, provides help to developers, and wants to hear your ideas! |
|
You can download this sample application from the Download
section of this article to get the hands-on experience of enabling the features of ACF.
Mimicking a Web news aggregation and blogs application, the sample application allows
you to post comments on today’s news to the server, which in turn displays the comments
back to the other viewers. As shown in Figure 1, the top of the page displays the result of the news aggregation, where you can see the potential malicious content (the blinking red text) being injected. Clicking the Original source of the news title pane shows you the original HTML contents of the news aggregation. You can also post comments at the bottom text area Enter your comments here, which is displayed instantly in the All comments area after clicking the Post your comment button.
Figure 1. ACF sample
We use the latest Web 2.0 platform from IBM, Project Zero, to build the server-side component.
The sample application front end is using the emerging Dojo and Ajax technologies.
To run the sample application included with this article, you need to have the Eclipse development IDE and Project Zero plug-in properly configured.
(A link to the plug-in is listed in the Resources section. You
can reference this article for the setup.) When ready, you can import the sample
application (named ACFSampleApp-1.0.0.zip) as the Existing Project into Workspace.
Select archive file as source (see Figure 2). Project
Zero provides ACF support through the zero.acf library,
which has been configured as one of the application dependencies in the ivy.xml file.
Figure 2. Import the ACFSampleApp into the Eclipse workspace
To start the ACF feature exploration journey, right-click the ACFSampleApp and select Run as – Project Zero Application. Your server component is up and running.
Next, direct your browser to http://localhost:8080 to test the sample application.
Scenario 1: ACF response filtering
The first scenario is preventing malicious content using ACF response filtering.
ACF response filtering strips active contents, such as JavaScript, from the response message based upon
a set of filter rules (described later in this article). When you run the sample application,
you can see that the news header at the top of the page has been injected with the blinking malicious text,
which originated from some active content (JavaScript code) from the first news feed.
You can view the news feed source by clicking the Original source of the news title pane,
as shown in Figure 3:
Figure 3. Malicious text at the news header
Now, let’s see how you can prevent this malicious text from damaging your application using ACF response filtering.
ACF response filtering is controlled through the zero.config configuration file.
You need the following entry to enable ACF response filtering (see Listing 1):
Listing 1. Configure ACF response filtering
# ACF filter rule
@include "${/config/dependencies/zero.acf}/config/acf.config"{
"conditions" : "/request/path =~ /resources/newsViewer(.*)"
}
|
The sample provides this configuration.
To enable ACF, simply uncomment this section in the zero.config file and restart the Project Zero server.
Shown in Figure 4, these two lines of configuration properties simply tell the ACF engine to filter out any active content for the response originated from URI /resources/newsViewer using the default predefined rule set provided with ACF.
Figure 4. Configuring ACF response filtering
When you run the application again, you don’t see the annoying blinking text anymore.
Scenario 2: ACF request filtering
Collaboration with and participation in Web 2.0 themed applications often let users enter
or post content to the hosting server. This introduces a security issue when malicious content (JavaScript, for example), is rendered by the server. In the sample application, the user can post comments to the server.
To demonstrate the threat of malicious script, enter the text from Listing 2 in the Enter comments area:
Listing 2. Sample malicious script
<script>alert("You are under attack!")</script>
|
Click the Post your comment button. You will see that the All comments result area is empty, and you get the annoying JavaScript pop-up instead.
So, how do you filter the HTTP request and prevent the malicious JavaScript attack? ACF
provides a powerful set of APIs to accomplish this. The APIs tell you if active content, such as JavaScript, is included in HTTP request parameters based upon a set of filter rules. If active content is found, you can throw an appropriate exception or use another library from Project Zero called XMLEncoder, which encodes the active content so that it is not able to be executed during run time. In our example, the server-side component that handles the incoming comment POST request is the commentHandler.groovy class. This is where you add the ACF request filtering code. You can simply uncomment the code provided with the sample to enable this feature, as shown in Figure 5:
Figure 5. Enable ACF request filtering
You don’t need to restart the Zero server this time to test the feature. Reload your application page and post the same JavaScript in the comment area. Obviously, you can’t post the harmful content anymore, as shown in Figure 6:
Figure 6. An example of ACF request filtering
Client-side filtering
Thus far, you have seen the power ACF wields in preventing a malicious attack, primarily
in the server side. To further enhance the security of your applications, you may consider
using some client-side encoding features introduced by certain modern JavaScript
libraries, such as the Dojo framework. Dojo's rich text editor, for example, automatically encodes user input into HTML code that is relatively safe to consume. Note: Although client-side encoding is very useful, it does not replace the ACF filtering done on the server side because users can circumvent what is done on the client side without much effort.
The sample application provides a Dojo-based rich text editor. To test the application, direct your browser to http://localhost:8080/clientfilter.gt. As demonstrated in Figure 7, the JavaScript posted via the Dojo editor has been encoded before sending to the server. Thus, the posted content will not be interpreted as active JavaScript by the browser.
Figure 7. Dojo editor implementation
Conclusion
You've seen how ACF provides increased flexibility for application deployment by enabling applications to filter active content without requiring developers to make significant changes to the applications. This increased flexibility allows applications to be better isolated from active content concerns, such as cross-site scripting (XSS), which, unfortunately, is a common attack on many Web 2.0 applications. Give the sample application a try and provide us with your feedback on the Project Zero forum (see Resources).
Download | Description | Name | Size | Download method |
|---|
| Sample application for this article | ACFSampleApp-1.0.0.zip | 32KB | HTTP |
|---|
Resources Learn
Get products and technologies
-
Get the Project
Zero Eclipse plug-in, which includes an installer to download additional Zero runtime libraries from a Zero package repository after installation.
-
Download Project Zero and start applying the skills learned in this article.
Discuss
About the authors | 
| | Todd Kaplinger is a senior software engineer in IBM Software Group, currently
working as architect and team lead of the Security team for Project Zero. Todd is
an expert in Web-based technologies such as JSP, Servlet, and PHP, with a recent
focus on emerging Web 2.0 technology and its impact on the enterprise. Todd is
currently a member of the expert group responsible for JSR 223: Scripting for the
Java Platform and is also a member of the Open AJAX Alliance with an interest in
interoperability between various Ajax framework implementations on security. Todd
acted as team lead and architect of IBM WebSphere Webcontainer and Remote Request Dispatcher (RRD) project and participated in the JSR 154 Servlet 2.5 specification as the IBM representative in the Servlet Expert group. |
| 
| | Masayoshi Teraguchi is a research staff member at the IBM Tokyo Research
Laboratory. Masayoshi has studied XML, Web Services, and Web Services
Security (WSS) for the past 5 years. His current research interests include Web 2.0 security and performance. |
| 
| | Gang Chen is a certified consulting I/T specialist in IBM Software Services for
WebSphere (ISSW). Gang is an expert in helping enterprise customers with their
e-business application design and implementation. Recently, he's focused on the
emerging Web 2.0 technology to bring value to the enterprise customers. He is
also one of the authors of the IBM Redbook "IBM WebSphere Application
Server V6 Scalability and Performance Handbook." |
Rate this page
| |
