**To avoid XSS security threat in spring application**
The solution to the XSS problem is to filter out all the text fields on the form at the time the form is submitted.
It needs XML entry in the web.xml file & two simple classes. java code :- The code for the first class named CrossScriptingFilter.java is : package com.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; public class CrossScriptingFilter implements Filter { private static Logger logger = Logger.getLogger(CrossScriptingFilter.class); private FilterConfig filterConfig; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { logger.info("Inlter CrossScriptingFilter ..............."); chain.doFilter(new RequestWrapper((HttpServletRequest) request), response); logger.info("Outlter CrossScriptingFilter ..............."); } }
The second class of code called RequestWrapper.java:
com.filter package;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.log4j.Logger; public final class RequestWrapper extends HttpServletRequestWrapper { private static Logger logger = Logger.getLogger(RequestWrapper.class); public RequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } public String[] getParameterValues(String parameter) { logger.info("InarameterValues .. parameter ......."); String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } public String getParameter(String parameter) { logger.info("Inarameter .. parameter ......."); String value = super.getParameter(parameter); if (value == null) { return null; } logger.info("Inarameter RequestWrapper ........ value ......."); return cleanXSS(value); } public String getHeader(String name) { logger.info("Ineader .. parameter ......."); String value = super.getHeader(name); if (value == null) return null; logger.info("Ineader RequestWrapper ........... value ...."); return cleanXSS(value); } private String cleanXSS(String value) {
All that remains is the XML entry in the web.xml file:
<filter> <filter-name>XSS</filter-name> <display-name>XSS</display-name> <description></description> <filter-class>com.filter.CrossScriptingFilter</filter-class> </filter> <filter-mapping> <filter-name>XSS</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
The / * parameter specifies that for each request made from the browser, it will call the CrossScriptingFilter Class. Which will analyze all the components / elements coming from the request & replace all javascript tags placed by the hacker with an empty line ie
GAURAV KUMAR GUPTA October 27 '17 at 20:02 on 2017-10-27 20:02
source share