Re: Struts security/validation
Craig McClanahan wrote: On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote: I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I hope you never have a customer named O'Reilly :-). I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: Absolutely. PreparedStatement is always the way to go, depending on the database you'll get a couple of performance gains also. String streetAddress = "..."; // String may have "\" and "'" characters in it PreparedStatement stmt = conn.prepareStatement ("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?"); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. In fact the drivers should not (again implementation specific) need to do any escaping, the statement and data are seperate entities. The statement will still contain ? (or equivalent) in the rdbms. Brett - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Jakarta commons lang String Escape Utils has a set of utility methods for escaping xml, html, sql, java, javascript ... http://jakarta.apache.org/commons/lang/apidocs/org/apache/commons/lang/StringEscapeUtils.html Kishore Senji. On Wed, 11 Aug 2004 10:41:13 -0700, Jim Barrows <[EMAIL PROTECTED]> wrote: > > > > -Original Message- > > From: Wiebe de Jong [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 11, 2004 10:32 AM > > To: 'Struts Users Mailing List' > > Subject: RE: Struts security/validation > > > > > > I had a similar problem, which I discovered when one of my > > users tried to > > enter a street address containing an apostrophe. Since I use > > apostrophes to > > delineate my text strings in my SQL statements, this caused a database > > error. I fixed it by not allowing apostrophes to be entered > > into any of the > > test fields. > > > > I admit this is overly restrictive, but I don't know how to get the > > apostrophe into my database otherwise. How would you do it Craig? > > I'd change them to their HTML equivalents.. however I've found that using the > prepared sql statements eliminates the interpretation problem you've outlined. > > > > > > > For SQL destined test, I disallow \ and '. > > For XML destined text, I disallow <, >, &, \, and ". > > > > Wiebe de Jong > > > > -Original Message- > > From: Craig McClanahan [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 11, 2004 10:21 AM > > To: Struts Users Mailing List > > Subject: Re: Struts security/validation > > > > On Wed, 11 Aug 2004 14:45:05 +0100, James Adams > > <[EMAIL PROTECTED]> wrote: > > > Hello all, > > > > > > I'm in the process of trying to secure my struts application against > > "Cross site scripting", "SQL injection" style attacks. > > > > > > One of the things I'm doing to prevent this is trying to > > restrict special > > characters (;.<>(){}...etc) getting beyond the validator. > > > > > > > Just thinking out loud for a moment ... > > > > Cross site scripting attacks don't happen when sensitive characters > > are inside an *input* field. The problem comes if you *output* the > > data without filtering for them. That's why the Struts > > tag, for example, filters "<", ">", "&", and ";" for you unless you > > explicitly tell it not to, so if you are diligent about how you copy > > your database data to output pages, you can safely accept these kinds > > of character in input. > > > > I notice that Kishore Senji (one of the other respondents in this > > thread) is using Google's Gmail, just as I am at the moment. Since > > this is a web application, it's a good thing that Googe isn't > > disallowing the magic characters on input into a textarea, or else we > > would not be able to participate in this conversation :-). > > > > Is filtering input really the appropriate strategy for dealing with > > this problem? If successful it will certainly help, but the approach > > strikes me as overly restrictive for most application needs. > > > > Craig > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Craig, both you and Jim suggested that I make use of prepared statements. I implemented my SQL using strings because it is easier to tweak during the development phase. Now that the project is in maintenance, moving to prepared statements is a good idea. Probably help a bit in performance as well. As for the XML/SOAP calls, using the serializer to create the character entities would be good. Thanks Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:50 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote: > I had a similar problem, which I discovered when one of my users tried to > enter a street address containing an apostrophe. Since I use apostrophes to > delineate my text strings in my SQL statements, this caused a database > error. I fixed it by not allowing apostrophes to be entered into any of the > test fields. > I hope you never have a customer named O'Reilly :-). > I admit this is overly restrictive, but I don't know how to get the > apostrophe into my database otherwise. How would you do it Craig? > > For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = "..."; // String may have "\" and "'" characters in it PreparedStatement stmt = conn.prepareStatement ("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?"); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) > For XML destined text, I disallow <, >, &, \, and ". For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either " or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates "&" to "&" and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. > > Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Oracle sql insert needs to escape apostrophes so that you can insert apostrophes. So in your case you may need a utility method to convert all your text containing apostrophes to some thing like ''. Example: If your user enters "I like he's idea", when inserting to data base you need to convert it to be "l like he''s idea". Hope this helps. -Original Message- From: Wiebe de Jong [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 1:32 PM To: 'Struts Users Mailing List' Subject: RE: Struts security/validation I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. For XML destined text, I disallow <, >, &, \, and ". Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote: > Hello all, > > I'm in the process of trying to secure my struts application against "Cross site scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to restrict special characters (;.<>(){}...etc) getting beyond the validator. > Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts tag, for example, filters "<", ">", "&", and ";" for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote: > I had a similar problem, which I discovered when one of my users tried to > enter a street address containing an apostrophe. Since I use apostrophes to > delineate my text strings in my SQL statements, this caused a database > error. I fixed it by not allowing apostrophes to be entered into any of the > test fields. > I hope you never have a customer named O'Reilly :-). > I admit this is overly restrictive, but I don't know how to get the > apostrophe into my database otherwise. How would you do it Craig? > > For SQL destined test, I disallow \ and '. If I'm doing the SQL myself, I always use prepared statements: String streetAddress = "..."; // String may have "\" and "'" characters in it PreparedStatement stmt = conn.prepareStatement ("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?"); stmt.setString(1, streetAddress); stmt.setInt(2, custId); stmt.executeUpdate(); and let the JDBC driver take care of getting the sensitive characters escaped as needed. (Of course, if you're using a persistence tier abstraction like EJB or JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to worry about any of this -- it all happens automatically for you.) > For XML destined text, I disallow <, >, &, \, and ". For XML, I use one of several strategies depending on the detailed situation: * Recognize that XML allows either " or ' as attribute delimiters, so if a string includes one kind, just use the other. * Write or use an XML serializer that translates "&" to "&" and so on for me. * If the XML I am writing is actually markup on a page, use JSF components ... JSF includes APIs that do all the escaping for you. > > Wiebe de Jong Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message- > From: Wiebe de Jong [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 10:32 AM > To: 'Struts Users Mailing List' > Subject: RE: Struts security/validation > > > I had a similar problem, which I discovered when one of my > users tried to > enter a street address containing an apostrophe. Since I use > apostrophes to > delineate my text strings in my SQL statements, this caused a database > error. I fixed it by not allowing apostrophes to be entered > into any of the > test fields. > > I admit this is overly restrictive, but I don't know how to get the > apostrophe into my database otherwise. How would you do it Craig? I'd change them to their HTML equivalents.. however I've found that using the prepared sql statements eliminates the interpretation problem you've outlined. > > For SQL destined test, I disallow \ and '. > For XML destined text, I disallow <, >, &, \, and ". > > Wiebe de Jong > > -Original Message- > From: Craig McClanahan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 10:21 AM > To: Struts Users Mailing List > Subject: Re: Struts security/validation > > On Wed, 11 Aug 2004 14:45:05 +0100, James Adams > <[EMAIL PROTECTED]> wrote: > > Hello all, > > > > I'm in the process of trying to secure my struts application against > "Cross site scripting", "SQL injection" style attacks. > > > > One of the things I'm doing to prevent this is trying to > restrict special > characters (;.<>(){}...etc) getting beyond the validator. > > > > Just thinking out loud for a moment ... > > Cross site scripting attacks don't happen when sensitive characters > are inside an *input* field. The problem comes if you *output* the > data without filtering for them. That's why the Struts > tag, for example, filters "<", ">", "&", and ";" for you unless you > explicitly tell it not to, so if you are diligent about how you copy > your database data to output pages, you can safely accept these kinds > of character in input. > > I notice that Kishore Senji (one of the other respondents in this > thread) is using Google's Gmail, just as I am at the moment. Since > this is a web application, it's a good thing that Googe isn't > disallowing the magic characters on input into a textarea, or else we > would not be able to participate in this conversation :-). > > Is filtering input really the appropriate strategy for dealing with > this problem? If successful it will certainly help, but the approach > strikes me as overly restrictive for most application needs. > > Craig > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to enter a street address containing an apostrophe. Since I use apostrophes to delineate my text strings in my SQL statements, this caused a database error. I fixed it by not allowing apostrophes to be entered into any of the test fields. I admit this is overly restrictive, but I don't know how to get the apostrophe into my database otherwise. How would you do it Craig? For SQL destined test, I disallow \ and '. For XML destined text, I disallow <, >, &, \, and ". Wiebe de Jong -Original Message- From: Craig McClanahan [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 10:21 AM To: Struts Users Mailing List Subject: Re: Struts security/validation On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote: > Hello all, > > I'm in the process of trying to secure my struts application against "Cross site scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to restrict special characters (;.<>(){}...etc) getting beyond the validator. > Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts tag, for example, filters "<", ">", "&", and ";" for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message- > From: Craig McClanahan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 10:21 AM > To: Struts Users Mailing List > Subject: Re: Struts security/validation > > > On Wed, 11 Aug 2004 14:45:05 +0100, James Adams > <[EMAIL PROTECTED]> wrote: > > Hello all, > > > > I'm in the process of trying to secure my struts > application against "Cross site scripting", "SQL injection" > style attacks. > > > > One of the things I'm doing to prevent this is trying to > restrict special characters (;.<>(){}...etc) getting beyond > the validator. > > > > Just thinking out loud for a moment ... > > Cross site scripting attacks don't happen when sensitive characters > are inside an *input* field. The problem comes if you *output* the > data without filtering for them. That's why the Struts > tag, for example, filters "<", ">", "&", and ";" for you unless you > explicitly tell it not to, so if you are diligent about how you copy > your database data to output pages, you can safely accept these kinds > of character in input. > > I notice that Kishore Senji (one of the other respondents in this > thread) is using Google's Gmail, just as I am at the moment. Since > this is a web application, it's a good thing that Googe isn't > disallowing the magic characters on input into a textarea, or else we > would not be able to participate in this conversation :-). > > Is filtering input really the appropriate strategy for dealing with > this problem? If successful it will certainly help, but the approach > strikes me as overly restrictive for most application needs. It can be appropriate, you might eventually need to turn off that filtering. It may be possible to legitametley allow such characters. The immediate example I can think of is content management. You could jump through hoops ( ex. Wiki's) to not use html to mark up the input but why? If you do it on input, you definitiely need more then just grepping on characters, you need to look at what the content is. Looking for a
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote: > Hello all, > > I'm in the process of trying to secure my struts application against "Cross site > scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to restrict special characters > (;.<>(){}...etc) getting beyond the validator. > Just thinking out loud for a moment ... Cross site scripting attacks don't happen when sensitive characters are inside an *input* field. The problem comes if you *output* the data without filtering for them. That's why the Struts tag, for example, filters "<", ">", "&", and ";" for you unless you explicitly tell it not to, so if you are diligent about how you copy your database data to output pages, you can safely accept these kinds of character in input. I notice that Kishore Senji (one of the other respondents in this thread) is using Google's Gmail, just as I am at the moment. Since this is a web application, it's a good thing that Googe isn't disallowing the magic characters on input into a textarea, or else we would not be able to participate in this conversation :-). Is filtering input really the appropriate strategy for dealing with this problem? If successful it will certainly help, but the approach strikes me as overly restrictive for most application needs. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message- > From: James Adams [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 6:45 AM > To: Struts Users Mailing List > Subject: Struts security/validation > > > Hello all, > > I'm in the process of trying to secure my struts application > against "Cross site scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to > restrict special characters (;.<>(){}...etc) getting beyond Semicolon and period are perflecty legitimate for a textarea input. I use a filter, that goes through the parameters looking for select.*from.* for a quick check, then do a second more detailed look before rejecting for a security violation. I do the same thing for insert and update as well, as seperate checks, which gives me some idea how far into the attack they've gotten. I would also do the same thing for a cross site scripting attack, if I had a check for it.. actually look for keywords before flagging antyhing. Since I do a lot of internal web apps, I'm not as concerned about this as I would be if I had external sites. > the validator. > > At the moment I'm using the validator plugin, within my > validation.xml I use the "mask" validator with the regular expression; > > . > mask > > ^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$ > > . > > > > 1. Does anyone know the syntax for also preventing < > & > within the regular expression bearing in mind its declared in XML? > > Or is there some kind of default validator that does this? > > > > 2. Some of my action functions also take input in the url as > a GET which does not go through the Validator, this is then > used to access a DB, these also need to be secured. > Obviously I can do this within each individual Action class, > but where would be the best single place I could stop > characters like < > ; & ever getting as far as the Action classes? > > Any other suggestions would be much appreciated, as I > couldn't find very much related to securing struts applications > > many thanks in advance > > regards > > James > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote: > Hello all, > > I'm in the process of trying to secure my struts application against "Cross site > scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to restrict special characters > (;.<>(){}...etc) getting beyond the validator. > > At the moment I'm using the validator plugin, within my validation.xml I use the > "mask" validator with the regular expression; > > .. > mask > > ^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$ > > .. > > 1. Does anyone know the syntax for also preventing < > & within the regular > expression bearing in mind its declared in XML? In your regexp, you can specify "<" & ">" entities as "<" and ">" respectively. > > Or is there some kind of default validator that does this? > > 2. Some of my action functions also take input in the url as a GET which does not go > through the Validator, this is then used to access a DB, these also need to be > secured. Obviously I can do this within each individual Action class, but where > would be the best single place I could stop characters like < > ; & ever getting as > far as the Action classes? > 1) You can use a strategy similar to the one described in the below url http://wiki.apache.org/struts/StrutsCatalogBaseAction OR 2) You can also define a custom RequestProcessor and override processPreprocess(HttpServletRequest request, HttpServletResponse response). > Any other suggestions would be much appreciated, as I couldn't find very much > related to securing struts applications > > many thanks in advance > > regards > > James > > Kishore Senji. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Struts security/validation
Hello all, I'm in the process of trying to secure my struts application against "Cross site scripting", "SQL injection" style attacks. One of the things I'm doing to prevent this is trying to restrict special characters (;.<>(){}...etc) getting beyond the validator. At the moment I'm using the validator plugin, within my validation.xml I use the "mask" validator with the regular expression; . mask ^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$ . 1. Does anyone know the syntax for also preventing < > & within the regular expression bearing in mind its declared in XML? Or is there some kind of default validator that does this? 2. Some of my action functions also take input in the url as a GET which does not go through the Validator, this is then used to access a DB, these also need to be secured. Obviously I can do this within each individual Action class, but where would be the best single place I could stop characters like < > ; & ever getting as far as the Action classes? Any other suggestions would be much appreciated, as I couldn't find very much related to securing struts applications many thanks in advance regards James