Created
April 9, 2012 09:42
-
-
Save ulinkwo/2342557 to your computer and use it in GitHub Desktop.
Stronger Anti Cross-Site Scripting (XSS) Filter for Java Web Apps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.util.regex.Pattern; | |
| import javax.servlet.http.HttpServletRequest; | |
| import javax.servlet.http.HttpServletRequestWrapper; | |
| public class XSSRequestWrapper extends HttpServletRequestWrapper { | |
| public XSSRequestWrapper(HttpServletRequest servletRequest) { | |
| super(servletRequest); | |
| } | |
| @Override | |
| public String[] getParameterValues(String parameter) { | |
| String[] values = super.getParameterValues(parameter); | |
| if (values == null) { | |
| return null; | |
| } | |
| int count = values.length; | |
| String[] encodedValues = new String[count]; | |
| for (int i = 0; i < count; i++) { | |
| encodedValues[i] = stripXSS(values[i]); | |
| } | |
| return encodedValues; | |
| } | |
| @Override | |
| public String getParameter(String parameter) { | |
| String value = super.getParameter(parameter); | |
| return stripXSS(value); | |
| } | |
| @Override | |
| public String getHeader(String name) { | |
| String value = super.getHeader(name); | |
| return stripXSS(value); | |
| } | |
| private String stripXSS(String value) { | |
| if (value != null) { | |
| // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to | |
| // avoid encoded attacks. | |
| // value = ESAPI.encoder().canonicalize(value); | |
| // Avoid null characters | |
| value = value.replaceAll("\0", ""); | |
| // Avoid anything between script tags | |
| Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid anything in a src='...' type of expression | |
| scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Remove any lonesome </script> tag | |
| scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Remove any lonesome <script ...> tag | |
| scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid eval(...) expressions | |
| scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid expression(...) expressions | |
| scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid javascript:... expressions | |
| scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid vbscript:... expressions | |
| scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| // Avoid onload= expressions | |
| scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); | |
| value = scriptPattern.matcher(value).replaceAll(""); | |
| } | |
| return value; | |
| } | |
| } |
@madoke Thanks for your proposal !
should we block img aswell I have a resource
/error/abc/?err=blah%3Cimg%20src%3da%20onerror%3dalert(document.location)%3Eblah
which is executing the script in firefox though chrome is somehow blocking it before submitting to server
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You should call stripxss on parameter names also instead on just values. take this url for example:
http://mysite.com/?pageIndex1262074=0&85018'\>\<script>alert(1)</script>