I just wanna say that I managed to pass the certificate exam of Java SE 7 Programmer I (1Z0-803). Exam is not easy and it is not hard to pass even you have experience as a Java Developer. You need to spend some time to go through certification exam issues. At this point I can recommend one book despite of Oracle Documentation which was written by Mala Gupta. This book has a title : "OCA Java SE 7 Programmer I Certification Guide" [2].
Reference :
[1] Oracle University Java SE 7 Programmer I 1Z0-803
[2] Mala Gupta - OCA Java SE 7 Programmer I Certification Guide
We all know what Cross Site Scripting (XSS) [1] means. In short the idea is that input parameters in our application should be checked for containing characters with special meaning in HTML for instance <, >, /. Those signs should be escaped by application into &, <, >, ', ", / before they will be processed by backend.
First of all you need implement Filter [7][2] which will intercept incoming requests to backend for further processing.
package pl.garciapl.xss; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.servlet.*; import java.io.IOException; public class RequestFilter implements Filter { private final static Logger logger = LoggerFactory.getLogger(RequestFilter.class); public void init(FilterConfig fConfig) throws ServletException { logger.debug("RequestFilter initialized"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response); } public void destroy() { } }
Then you need define XSSRequestWrapper [3] used to filter every request. You can also find test class XSSRequestWrapperTest [4] which might give you preview what kind of malicious HTML might occur and what might be desirable output.
package pl.garciapl.xss; import org.jsoup.Jsoup; import org.jsoup.safety.Whitelist; import org.owasp.esapi.ESAPI; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XSSRequestWrapper extends HttpServletRequestWrapper { public XSSRequestWrapper(HttpServletRequest request) { super(request); } @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = stripXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); return stripXSS(value); } @Override public String getHeader(String name) { String value = super.getHeader(name); return stripXSS(value); } private String stripXSS(String value) { if (value != null) { // It's highly recommended to use the ESAPI to avoid encoded attacks. value = ESAPI.encoder().canonicalize(value); // Avoid null characters value = value.replaceAll("", ""); value = Jsoup.clean(value, Whitelist.none()); } return value; } }
Above class filters also headers and content of requests. As you can see method stripXSS uses ESAPI [6] library. The ESAPI (Enterprise Security API) is an OWASP project to create simple strong security controls for every web platform. I also use library called Jsoup [5] to clean once again suspect HTML [8].
Reference : [1] Cross Site Scripting Wikipedia [2] RequestFilter Pastebin [3] XSSRequestWrapper Pastebin [4] XSSRequestWrapperTest Pastebin [5] Jsoup 1.8.3 Maven [6] ESAPI 2.1.0 Maven [7] Servlet Filters and Event Listeners Doc [8] Jsoup Sanitize untrusted HTML (to prevent XSS)