Simple Cross Site Scripting (XSS) Servlet Filter

XSSFilter: 
public class XSSFilter implements Filter {
 
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
 
    @Override
    public void destroy() {
    }
 
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
    }
 
}

The HttpServletRequest Wrapper: 
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
 
public class XSSRequestWrapper extends HttpServletRequestWrapper {
 
    public XSSRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }
 
    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
 
        if (values == null) {
            return null;
        }
 
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = stripXSS(values[i]);
        }
 
        return encodedValues;
    }
 
    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
 
        return stripXSS(value);
    }
 
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        return stripXSS(value);
    }
 
    private String stripXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);
 
            // Avoid null characters
            value = value.replaceAll("\0", "");
 
            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
 
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
 
            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }
}

Add this to the web.xml: 

    XSS
    XSS
    
    com.greatwebguy.filter.XSSFilter


    XSS
    /*
 
Notice the comment about the ESAPI library, I strongly recommend you check it out and try to include it in your projects.
If you want to dig deeper on the topic I suggest you check out the OWASP page about XSS and RSnake’s XSS (Cross Site Scripting) Cheat Sheet.

 

留言

張貼留言

這個網誌中的熱門文章

java.lang.NoClassDefFoundError: org/apache/xerces/jaxp/datatype/XMLGregorianCalendarImpl$Parser

When you encounter the following error that related to web service. java.lang.NoClassDefFoundError: org/apache/xerces/jaxp/datatype/XMLGregorianCalendarImpl$Parser Solution 1: Ensure no xercesImpl.jar in your classpath since the implementation of xerce is built-in wiht JAVA SE 1.6. Solution 2: Use XmlJavaTypeAdapter [ @XmlJavaTypeAdapter(JaxbDateAdapter.class)] to convert XMLGregorianCalendar type to Date type. XMLGregorianCalendar is the built-in Java data type for JAXB mapping with datetime. Example: Binding.xjb <?xml version="1.0" encoding="UTF-8"?> <bindings xmlns="http://java.sun.com/xml/ns/jaxb"                 xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance"                 xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"               ...
閱讀完整內容

10 Tips for Proper Application Logging

圖片
Reference: https://www.javacodegeeks.com/2011/01/10-tips-proper-application-logging.html   Our latest   JCP partner ,   Tomasz Nurkiewicz , has submitted a number of posts describing the basic principles of proper application   logging . I found them quite interesting, thus I decided to aggregate them in a more compact format and present them to you. So, here are his suggestions for clean and helpful logs:(NOTE: The original posts have been slightly edited to improve readability) 1) Use the appropriate tools for the job Many programmers seem to forget how important is logging an application’s behavior and its current activity. When somebody puts: 1 log.info( "Happy and carefree logging" ); happily somewhere in the code, he probably doesn’t realize the importance of application logs during maintenance, tuning and failure identification. Underestimating the value of good logs is a terrible mistake. In my opinion, SLF4J is the best logging API availab...
閱讀完整內容

Turn off WebLogic basic authentication

Editing config.xml To set the e enforce-valid-basic-auth-credentials flag, perform the following steps: 1. Add the element to config.xml within the element. false 2. Start or restart all of the servers in the domain. ============================================= Using WebLogic Scripting Tool (WLST) Using WLST to Check the Value of enforce-valid-basic-auth-credentials The Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. Remember that enforce-valid-basic-auth-credentials is a domain-wide setting. The WLST session shown below demonstrates how to check the value of the enforce-valid-basic-auth-credentials flag in a sample running server. Example: wls:/offline> connect('weblogic','weblogic123','t3://localhost:7002') Connecting to t3://localhost:7002 with userid weblogic ... Successfully connected to Admin Server 'AdminS...
閱讀完整內容