Cross-site Scripting (XSS) Prevention in Apache Tomcat 7

posted by mthomas on January 26, 2011 07:28 AM

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.

In Tomcat, the use of the httpOnly flag on a cookie is controlled by a new Context element called useHttpOnly. When this is enabled, it prevents client-side scripts from accessing Session IDs in cookies. By default, the cross-site script protection is turned on in Tomcat 7 (useHttpOnly is set to true), and while you can turn it on Tomcat 5.x and Tomcat 6.x by default is turned off, mainly due to backwards compatibility concerns.

For Tomcat installations that support multiple web applications, it is possible to configure this context element globally, or individually for specific applications. The value set in the context.xml for individual web application will override anything configured for global defaults. For instance:

  • Setting useHttpOnly to true in the $CATALINA_BASE/conf/context.xml file will turn on cross-site script protection for all webapps.

  • Setting useHttpOnly to false in the $CATALINA_BASE/conf/[enginename]/[host]/context.xml.default file will over-ride the script protection for all webapps of that host.

Further, as it is part of the Servlet 3.0 specification, you can mark any cookie with the useHttpOnly setting, and not just session cookies. For more information on setting this element and others, see the Apache Tomcat 7 Configuration Reference on the Context Container.

By preventing these scripts from accessing sensitive cookie information the potential for damage is severely limited. Where problems may exist is for web applications that use applets. If the applet requires information about the user session, marking the context element useHttpOnly to true will prevent that applet from accessing the session information. 

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.


nice article

this article saved my life :>

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.