I just wanna say that I managed to pass the certificate exam of Java SE 7 Programmer I (1Z0-803). Exam is not easy and it is not hard to pass even you have experience as a Java Developer. You need to spend some time to go through certification exam issues. At this point I can recommend one book despite of Oracle Documentation which was written by Mala Gupta. This book has a title : "OCA Java SE 7 Programmer I Certification Guide" [2].
Reference :
[1] Oracle University Java SE 7 Programmer I 1Z0-803
[2] Mala Gupta - OCA Java SE 7 Programmer I Certification Guide
Most sophisticated informations and issues related with widely known IT sector and many more ;-)
Saturday, 5 December 2015
Cross Site Scripting - XSSRequestWrapper
We all know what Cross Site Scripting (XSS) [1] means. In short the idea is that input parameters in our application should be checked for containing characters with special meaning in HTML for instance <, >, /. Those signs should be escaped by application into &, <, >, ', ", / before they will be processed by backend.
First of all you need implement Filter [7][2] which will intercept incoming requests to backend for further processing.
Then you need define XSSRequestWrapper [3] used to filter every request. You can also find test class XSSRequestWrapperTest [4] which might give you preview what kind of malicious HTML might occur and what might be desirable output.
Above class filters also headers and content of requests. As you can see method stripXSS uses ESAPI [6] library. The ESAPI (Enterprise Security API) is an OWASP project to create simple strong security controls for every web platform. I also use library called Jsoup [5] to clean once again suspect HTML [8].
Reference : [1] Cross Site Scripting Wikipedia [2] RequestFilter Pastebin [3] XSSRequestWrapper Pastebin [4] XSSRequestWrapperTest Pastebin [5] Jsoup 1.8.3 Maven [6] ESAPI 2.1.0 Maven [7] Servlet Filters and Event Listeners Doc [8] Jsoup Sanitize untrusted HTML (to prevent XSS)
First of all you need implement Filter [7][2] which will intercept incoming requests to backend for further processing.
package pl.garciapl.xss;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import java.io.IOException;
public class RequestFilter implements Filter {
private final static Logger logger = LoggerFactory.getLogger(RequestFilter.class);
public void init(FilterConfig fConfig) throws ServletException {
logger.debug("RequestFilter initialized");
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
}
public void destroy() {
}
}
Then you need define XSSRequestWrapper [3] used to filter every request. You can also find test class XSSRequestWrapperTest [4] which might give you preview what kind of malicious HTML might occur and what might be desirable output.
package pl.garciapl.xss;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import org.owasp.esapi.ESAPI;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value) {
if (value != null) {
// It's highly recommended to use the ESAPI to avoid encoded attacks.
value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", "");
value = Jsoup.clean(value, Whitelist.none());
}
return value;
}
}
Above class filters also headers and content of requests. As you can see method stripXSS uses ESAPI [6] library. The ESAPI (Enterprise Security API) is an OWASP project to create simple strong security controls for every web platform. I also use library called Jsoup [5] to clean once again suspect HTML [8].
Reference : [1] Cross Site Scripting Wikipedia [2] RequestFilter Pastebin [3] XSSRequestWrapper Pastebin [4] XSSRequestWrapperTest Pastebin [5] Jsoup 1.8.3 Maven [6] ESAPI 2.1.0 Maven [7] Servlet Filters and Event Listeners Doc [8] Jsoup Sanitize untrusted HTML (to prevent XSS)