Hi,

A simple post concerning the Cross Site Scripting (XSS) and SQL injection which are types of security vulnerability used in Web applications. In SQL-Injection the vulnerability is exploited by injecting SQL Queries as user inputs. In XSS, Javascript code is injected (basically client side scripting) to the remote server (persistente or non-persistent). For more information, Wikipedia is a good source http://en.wikipedia.org/wiki/Cross-site_scripting and http://en.wikipedia.org/wiki/SQL_injection.

Cross Site Scripting (XSS)
XSS injects executable code via the GET or POST parameters in HTTP requests. So, here, I would present an example of special characters (<, >, ‘, …) transformation into their HTML code in order to not be executed by the browser.

An example of XSS attack could be filling javascript code in in form’s field:

"/><script>alert(xss attack);</script>

SQL injection
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution.
A best-pratice is no use the concatenation of SQL queries and variables like:

"SELECT id, name FROM TABLE_PERSON WHERE id="+myIdVariable;"

…instead, use the parametrized queries via the PreparedStatement.

An example of SQL injection could be:

.../mycontext/myservice.do?name=12&id=123' AND '1'=='1'--

Solution and implementation
First, we create HTTP filter RequestWrappingFilter in order to intercept the HTTP request configured in the web.xml file:

<filter>
<filter-name>RequestWrappingFilter</filter-name>
<filter-class>com.huo.filter.RequestWrappingFilter</filter-class>
</filter>

<filter-mapping>
<filter-name>RequestWrappingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

… the goal of this filter is to wrapper the request into an own-coded wrapper MyHttpRequestWrapper which transforms:

package com.huo.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletReponse;
import javax.servlet.http.HttpServletRequest;

public class RequestWrappingFilter implements Filter{

	public void doFilter(ServletRequest req, ServletReponse res, FilterChain chain) throws IOException, ServletException{
		chain.doFilter(new MyHttpRequestWrapper(req), res);
	}

	public void init(FilterConfig config) throws ServletException{
	}

	public void destroy() throws ServletException{
	}
}
package com.huo.filter;

import java.util.HashMap;
import java.util.Map;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.StringEscapeUtils;

public class MyHttpRequestWrapper extends HttpServletRequestWrapper{
	private Map<String, String[]> escapedParametersValuesMap = new HashMap<String, String[]>();

	public MyHttpRequestWrapper(HttpServletRequest req){
		super(req);
	}

	@Override
	public String getParameter(String name){
		String[] escapedParameterValues = escapedParametersValuesMap.get(name);
		String escapedParameterValue = null; 
		if(escapedParameterValues!=null){
			escapedParameterValue = escapedParameterValues[0];
		}else{
			String parameterValue = super.getParameter(name);

			// HTML transformation characters
			escapedParameterValue = org.springframework.web.util.HtmlUtils.htmlEscape(parameterValue);
			
			// SQL injection characters
			escapedParameterValue = StringEscapeUtils.escapeSql(escapedParameterValue);
			
			escapedParametersValuesMap.put(name, new String[]{escapedParameterValue});
		}//end-else
		
		return escapedParameterValue;
	}

	@Override
	public String[] getParameterValues(String name){
		String[] escapedParameterValues = escapedParametersValuesMap.get(name);
		if(escapedParameterValues==null){
			String[] parametersValues = super.getParameterValues(name);
			escapedParameterValue = new String[parametersValues.length];

			// 
			for(int i=0; i<parametersValues.length; i++){
				String parameterValue = parametersValues[i];
				String escapedParameterValue = parameterValue;
				
				// HTML transformation characters
				escapedParameterValue = org.springframework.web.util.HtmlUtils.htmlEscape(parameterValue);
			
				// SQL injection characters
				escapedParameterValue = StringEscapeUtils.escapeSql(escapedParameterValue);
			
				escapedParameterValues[i] = escapedParameterValue;
			}//end-for
			
			escapedParametersValuesMap.put(name, escapedParameterValues);
		}//end-else
		
		return escapedParameterValues;
	}
}

That’s all.

Best regards,

Huseyin OZVEREN