It's a common scenario while developing web applications with Java code:
How to secure web applications from common threats like SQL injection, XSS, that too with minimal changes in Legacy applications or already developed code?
Is there any simple way to resolve these issues and minimize the impact and maximize security:
The Solution
A: Safety Servlet Filters and Interceptors
This basic design in my openion should be placed along with above two points.
Steps:
1. Use a filter to capture all requests to the web server.(all means All requests that is possible using your web.xml configuration)
2. Use the filter to modify request parameters. This is tricky as directly we can not change request parameter value.
The solution to this is to use HTTPServletRequestWrapper approach available which can enable to over ride get parameter method of that parameter and in practice 'change' request parameter.
By using this above technique filter all incoming request parameters to allow only alphanumeric params and provide configurable exceptions for few parameters to accept few characters like underscore or space etc...
B: Escape HTML for parameters whenever framework is not used.
This means in all the UI pages use some libraries like apache escapeHTML to encode all the form input parameters. This essentially converts the hazardous characters to its unicode equivalent codes.
To avoid the above issues at first place following best practices can be followed
A: Use a good well known framework
This will make sure that any common security flaw is not present since that might already be addressed by the framework, or atleast can be addressed by next release.
B: Follow MVC pattern in design also
Not only separate the component but have clear design separation also.
Using the above four points will atliest make your application sufficently secure for common security issues.
Note: the above method needs to be performance tuned, and should not be used as is without proper testing. I dont guarantee its outcome.
:) Hope it is helpful
How to secure web applications from common threats like SQL injection, XSS, that too with minimal changes in Legacy applications or already developed code?
Is there any simple way to resolve these issues and minimize the impact and maximize security:
The Solution
A: Safety Servlet Filters and Interceptors
This basic design in my openion should be placed along with above two points.
Steps:
1. Use a filter to capture all requests to the web server.(all means All requests that is possible using your web.xml configuration)
<filter> <filter-name>SecurityFilter</filter-name> <filter-class>SecurityFilter</filter-class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
2. Use the filter to modify request parameters. This is tricky as directly we can not change request parameter value.
The solution to this is to use HTTPServletRequestWrapper approach available which can enable to over ride get parameter method of that parameter and in practice 'change' request parameter.
public class SecurityHttpRequestWrapper extends HttpServletRequestWrapper {
public SecurityHttpRequestWrapper(HttpServletRequest request) {
super(request);
}
public String getParameter(String name) {
HttpServletRequest req = (HttpServletRequest)
super.getRequest(); String result = customisationAndValidation();
//Add the validation logic he
//re. Preferably for alphanumeric validation. Watch out for i18n support since
//it will cause issues with alphanumeric validations and is always tricky.
return result;
}
By using this above technique filter all incoming request parameters to allow only alphanumeric params and provide configurable exceptions for few parameters to accept few characters like underscore or space etc...
public class SecurityFilter implements Filter { public void doFilter(ServletRequest request,
ServletResponse response, FilterChain chain) {
chain.doFilter(
new SecurityHttpRequestWrapper( (HttpServletRequest)request ),
response);
//Watch out for the new objectes created per request.
}
}
B: Escape HTML for parameters whenever framework is not used.
This means in all the UI pages use some libraries like apache escapeHTML to encode all the form input parameters. This essentially converts the hazardous characters to its unicode equivalent codes.
import static org.apache.commons.lang3.StringEscapeUtils.escapeHtml3;
String escaped = escapeHtml3(source);To avoid the above issues at first place following best practices can be followed
A: Use a good well known framework
This will make sure that any common security flaw is not present since that might already be addressed by the framework, or atleast can be addressed by next release.
B: Follow MVC pattern in design also
Not only separate the component but have clear design separation also.
Note: the above method needs to be performance tuned, and should not be used as is without proper testing. I dont guarantee its outcome.
:) Hope it is helpful
