When i use method Get and intercept the request with any proxy tool. then Cross site scripting because of absence of server side validations. But in case of post method, as we know data flows in the body of the request and when i intercept any body parameter with the script, then again XSS executes.
I want to know do i need to do server side validations on each screen or is their any global thing which can save me from XSS. I am using Java J2
The OWASP cheat sheet has a number of suggestions for mitigating XSS attacks.
If you already have a framework you are using (e.g., Spring or Struts), they might have some protection mechanisms that can be configured.
If you are looking for an add-on framework, consider OWASP ESAPI or the OWASP Java Encoder Project.
Get and Post are just the methods used by HTTP to send data to the server. Generally XSS is observed when untrusted data received from the client is reflected by the server without sanitization. This is independent of using get or post.
Untrusted data is the data coming from the client side which can be modified by the client ( this includes hidden fields and HTTP header fields).
Server side validation is a good first line of defense against XSS and since you are using java you may want to write a filter which performs validations for all the requests. The best way of protecting against XSS is the use of encoding. These links may help
