Cross-site Scripting (XSS) Prevention in Apache Tomcat 7

posted by mthomas on January 26, 2011 07:28 AM

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.

In Tomcat, the use of the httpOnly flag on a cookie is controlled by a new Context element called useHttpOnly. When this is enabled, it prevents client-side scripts from accessing Session IDs in cookies. By default, the cross-site script protection is turned on in Tomcat 7 (useHttpOnly is set to true), and while you can turn it on Tomcat 5.x and Tomcat 6.x by default is turned off, mainly due to backwards compatibility concerns.

For Tomcat installations that support multiple web applications, it is possible to configure this context element globally, or individually for specific applications. The value set in the context.xml for individual web application will override anything configured for global defaults. For instance:

  • Setting useHttpOnly to true in the $CATALINA_BASE/conf/context.xml file will turn on cross-site script protection for all webapps.

  • Setting useHttpOnly to false in the $CATALINA_BASE/conf/[enginename]/[host]/context.xml.default file will over-ride the script protection for all webapps of that host.

Further, as it is part of the Servlet 3.0 specification, you can mark any cookie with the useHttpOnly setting, and not just session cookies. For more information on setting this element and others, see the Apache Tomcat 7 Configuration Reference on the Context Container.

By preventing these scripts from accessing sensitive cookie information the potential for damage is severely limited. Where problems may exist is for web applications that use applets. If the applet requires information about the user session, marking the context element useHttpOnly to true will prevent that applet from accessing the session information. 

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.


nice article

this article saved my life :>

La formule tag Heuer 1 montre

La formule tag Heuer 1 montre montre le mouvement du poignet est le premier à regarder les aficionados et les amateurs de course était de concevoir une replique montres-bracelet parfait, il ya deux sortes de styles au choix: regarder styles, avec cadran noir, rouge ou blanc; Les styles de tableau, orange, rouge, cadran argenté ou noir. Anneau de type tableau et le nouveau bracelet en caoutchouc de la campagne d'épaisseur sont élégamment gravés symbole IWC réplique. Également équipé avec des modèles de bracelet en acier inoxydable. Les montres peuvent assembler l'élément de mouvement et la précision de la technologie de tabulation des riches, montre de sport pour TAG Heuer série F1 vu.

How To Debt Negotiation

I wrote about a similar issue, I give you the link to my site.
learn about debt negotiation


hungry shark evolution hack apk In this article understand the most important thing, the item will give you a keyword rich link a great useful website page: clash of clans hack cydia

I use basically superior

I use basically superior fabrics : you will discover these products by:

Solusi darah tinggi

Solusi darah tinggi menggunakan obat herbal darah tinggi.
obat hiv aids Virus AIDS kebiasaannya menyerang seseorang serta menyerang sistem imun seseorang.
obat herbal untuk ginjal bocor menuliskan bahwa Aditya menderita sakit ginjal bocor & gangguan paru-paru.

Really impressed! Everything

Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. about Text Your Ex Back


I am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy.  Pro DJ

Very informative post ! There

Very informative post ! There is a lot of information here that can help any business get started with a successful social networking campaign !

I really enjoy simply reading

I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. Diabetes Destroyer Review

Truly, this article is really

Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work!

Wow! Such an amazing and

Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. Rocket Spanish Review

Three are usually cheap Ralph

Three are usually cheap Ralph Lauren available for sale each and every time you wish to buy. They're produced by the very best degree developers who will be distinguished for your polo dress creating. You'll find polo Ron Lauren inside exclusive array which include particular classes for men, women. The Language of Desire

Very interesting information,

Very interesting information, worth recommending. However, I recommend this: What Men Secretly Want

I should assert barely that

I should assert barely that its astounding! The blog is informational also always fabricate amazing entitys. The Instant Switch

It's superior, however ,

It's superior, however , check out material at the street address. Talk To His Heart

That you're allowed to place

That you're allowed to place leaders, however is not one way links, except when they're just authorised together with regarding niche.
data process management

I just thought it may be an

I just thought it may be an idea to post incase anyone else was having problems researching but I am a little unsure if I am allowed to put names and addresses on here. The Woman Men Adore

I like to recommend

I like to recommend exclusively fine plus efficient information and facts, hence notice it: Ex Factor Guide

In this case you will begin

In this case you will begin it is important, it again produces a web site a strong significant internet site: The Red Smoothie Detox Factor

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.