Re: Struts security/validation
Craig McClanahan wrote:
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.
I hope you never have a customer named O'Reilly :-).
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
If I'm doing the SQL myself, I always use prepared statements:
Absolutely. PreparedStatement is always the way to go, depending on the
database you'll get a couple of performance gains also.
String streetAddress = "..."; // String may have "\" and "'" characters in it
PreparedStatement stmt = conn.prepareStatement
("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?");
stmt.setString(1, streetAddress);
stmt.setInt(2, custId);
stmt.executeUpdate();
and let the JDBC driver take care of getting the sensitive characters
escaped as needed.
In fact the drivers should not (again implementation specific) need to
do any escaping, the statement and data are seperate entities. The
statement will still contain ? (or equivalent) in the rdbms.
Brett
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
Jakarta commons lang String Escape Utils has a set of utility methods
for escaping xml, html, sql, java, javascript ...
http://jakarta.apache.org/commons/lang/apidocs/org/apache/commons/lang/StringEscapeUtils.html
Kishore Senji.
On Wed, 11 Aug 2004 10:41:13 -0700, Jim Barrows <[EMAIL PROTECTED]> wrote:
>
>
> > -Original Message-
> > From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 11, 2004 10:32 AM
> > To: 'Struts Users Mailing List'
> > Subject: RE: Struts security/validation
> >
> >
> > I had a similar problem, which I discovered when one of my
> > users tried to
> > enter a street address containing an apostrophe. Since I use
> > apostrophes to
> > delineate my text strings in my SQL statements, this caused a database
> > error. I fixed it by not allowing apostrophes to be entered
> > into any of the
> > test fields.
> >
> > I admit this is overly restrictive, but I don't know how to get the
> > apostrophe into my database otherwise. How would you do it Craig?
>
> I'd change them to their HTML equivalents.. however I've found that using the
> prepared sql statements eliminates the interpretation problem you've outlined.
>
>
>
> >
> > For SQL destined test, I disallow \ and '.
> > For XML destined text, I disallow <, >, &, \, and ".
> >
> > Wiebe de Jong
> >
> > -Original Message-
> > From: Craig McClanahan [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, August 11, 2004 10:21 AM
> > To: Struts Users Mailing List
> > Subject: Re: Struts security/validation
> >
> > On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
> > <[EMAIL PROTECTED]> wrote:
> > > Hello all,
> > >
> > > I'm in the process of trying to secure my struts application against
> > "Cross site scripting", "SQL injection" style attacks.
> > >
> > > One of the things I'm doing to prevent this is trying to
> > restrict special
> > characters (;.<>(){}...etc) getting beyond the validator.
> > >
> >
> > Just thinking out loud for a moment ...
> >
> > Cross site scripting attacks don't happen when sensitive characters
> > are inside an *input* field. The problem comes if you *output* the
> > data without filtering for them. That's why the Struts
> > tag, for example, filters "<", ">", "&", and ";" for you unless you
> > explicitly tell it not to, so if you are diligent about how you copy
> > your database data to output pages, you can safely accept these kinds
> > of character in input.
> >
> > I notice that Kishore Senji (one of the other respondents in this
> > thread) is using Google's Gmail, just as I am at the moment. Since
> > this is a web application, it's a good thing that Googe isn't
> > disallowing the magic characters on input into a textarea, or else we
> > would not be able to participate in this conversation :-).
> >
> > Is filtering input really the appropriate strategy for dealing with
> > this problem? If successful it will certainly help, but the approach
> > strikes me as overly restrictive for most application needs.
> >
> > Craig
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Craig, both you and Jim suggested that I make use of prepared statements. I
implemented my SQL using strings because it is easier to tweak during the
development phase.
Now that the project is in maintenance, moving to prepared statements is a
good idea. Probably help a bit in performance as well.
As for the XML/SOAP calls, using the serializer to create the character
entities would be good.
Thanks
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:50 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
> I had a similar problem, which I discovered when one of my users tried to
> enter a street address containing an apostrophe. Since I use apostrophes
to
> delineate my text strings in my SQL statements, this caused a database
> error. I fixed it by not allowing apostrophes to be entered into any of
the
> test fields.
>
I hope you never have a customer named O'Reilly :-).
> I admit this is overly restrictive, but I don't know how to get the
> apostrophe into my database otherwise. How would you do it Craig?
>
> For SQL destined test, I disallow \ and '.
If I'm doing the SQL myself, I always use prepared statements:
String streetAddress = "..."; // String may have "\" and "'" characters in
it
PreparedStatement stmt = conn.prepareStatement
("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?");
stmt.setString(1, streetAddress);
stmt.setInt(2, custId);
stmt.executeUpdate();
and let the JDBC driver take care of getting the sensitive characters
escaped as needed.
(Of course, if you're using a persistence tier abstraction like EJB or
JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to
worry about any of this -- it all happens automatically for you.)
> For XML destined text, I disallow <, >, &, \, and ".
For XML, I use one of several strategies depending on the detailed
situation:
* Recognize that XML allows either " or ' as attribute delimiters,
so if a string includes one kind, just use the other.
* Write or use an XML serializer that translates "&" to "&"
and so on for me.
* If the XML I am writing is actually markup on a page, use
JSF components ... JSF includes APIs that do all the escaping
for you.
>
> Wiebe de Jong
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
Oracle sql insert needs to escape apostrophes so that you can insert apostrophes. So
in your case you may need a utility method to convert all your text containing
apostrophes to some thing like ''.
Example: If your user enters "I like he's idea", when inserting to data base you need
to convert it to be "l like he''s idea".
Hope this helps.
-Original Message-
From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 1:32 PM
To: 'Struts Users Mailing List'
Subject: RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow <, >, &, \, and ".
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against
"Cross site scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special
characters (;.<>(){}...etc) getting beyond the validator.
>
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts
tag, for example, filters "<", ">", "&", and ";" for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 10:32:04 -0700, Wiebe de Jong <[EMAIL PROTECTED]> wrote:
> I had a similar problem, which I discovered when one of my users tried to
> enter a street address containing an apostrophe. Since I use apostrophes to
> delineate my text strings in my SQL statements, this caused a database
> error. I fixed it by not allowing apostrophes to be entered into any of the
> test fields.
>
I hope you never have a customer named O'Reilly :-).
> I admit this is overly restrictive, but I don't know how to get the
> apostrophe into my database otherwise. How would you do it Craig?
>
> For SQL destined test, I disallow \ and '.
If I'm doing the SQL myself, I always use prepared statements:
String streetAddress = "..."; // String may have "\" and "'" characters in it
PreparedStatement stmt = conn.prepareStatement
("UPDATE CUSTOMER SET STREET_ADDRESS=? WHERE CUSTID=?");
stmt.setString(1, streetAddress);
stmt.setInt(2, custId);
stmt.executeUpdate();
and let the JDBC driver take care of getting the sensitive characters
escaped as needed.
(Of course, if you're using a persistence tier abstraction like EJB or
JDO or JDBC RowSets or Hibernate or iBatis et. al., you don't need to
worry about any of this -- it all happens automatically for you.)
> For XML destined text, I disallow <, >, &, \, and ".
For XML, I use one of several strategies depending on the detailed situation:
* Recognize that XML allows either " or ' as attribute delimiters,
so if a string includes one kind, just use the other.
* Write or use an XML serializer that translates "&" to "&"
and so on for me.
* If the XML I am writing is actually markup on a page, use
JSF components ... JSF includes APIs that do all the escaping
for you.
>
> Wiebe de Jong
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message-
> From: Wiebe de Jong [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 10:32 AM
> To: 'Struts Users Mailing List'
> Subject: RE: Struts security/validation
>
>
> I had a similar problem, which I discovered when one of my
> users tried to
> enter a street address containing an apostrophe. Since I use
> apostrophes to
> delineate my text strings in my SQL statements, this caused a database
> error. I fixed it by not allowing apostrophes to be entered
> into any of the
> test fields.
>
> I admit this is overly restrictive, but I don't know how to get the
> apostrophe into my database otherwise. How would you do it Craig?
I'd change them to their HTML equivalents.. however I've found that using the prepared
sql statements eliminates the interpretation problem you've outlined.
>
> For SQL destined test, I disallow \ and '.
> For XML destined text, I disallow <, >, &, \, and ".
>
> Wiebe de Jong
>
> -Original Message-
> From: Craig McClanahan [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 10:21 AM
> To: Struts Users Mailing List
> Subject: Re: Struts security/validation
>
> On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
> <[EMAIL PROTECTED]> wrote:
> > Hello all,
> >
> > I'm in the process of trying to secure my struts application against
> "Cross site scripting", "SQL injection" style attacks.
> >
> > One of the things I'm doing to prevent this is trying to
> restrict special
> characters (;.<>(){}...etc) getting beyond the validator.
> >
>
> Just thinking out loud for a moment ...
>
> Cross site scripting attacks don't happen when sensitive characters
> are inside an *input* field. The problem comes if you *output* the
> data without filtering for them. That's why the Struts
> tag, for example, filters "<", ">", "&", and ";" for you unless you
> explicitly tell it not to, so if you are diligent about how you copy
> your database data to output pages, you can safely accept these kinds
> of character in input.
>
> I notice that Kishore Senji (one of the other respondents in this
> thread) is using Google's Gmail, just as I am at the moment. Since
> this is a web application, it's a good thing that Googe isn't
> disallowing the magic characters on input into a textarea, or else we
> would not be able to participate in this conversation :-).
>
> Is filtering input really the appropriate strategy for dealing with
> this problem? If successful it will certainly help, but the approach
> strikes me as overly restrictive for most application needs.
>
> Craig
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
I had a similar problem, which I discovered when one of my users tried to
enter a street address containing an apostrophe. Since I use apostrophes to
delineate my text strings in my SQL statements, this caused a database
error. I fixed it by not allowing apostrophes to be entered into any of the
test fields.
I admit this is overly restrictive, but I don't know how to get the
apostrophe into my database otherwise. How would you do it Craig?
For SQL destined test, I disallow \ and '.
For XML destined text, I disallow <, >, &, \, and ".
Wiebe de Jong
-Original Message-
From: Craig McClanahan [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 11, 2004 10:21 AM
To: Struts Users Mailing List
Subject: Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against
"Cross site scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special
characters (;.<>(){}...etc) getting beyond the validator.
>
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts
tag, for example, filters "<", ">", "&", and ";" for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message-
> From: Craig McClanahan [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 10:21 AM
> To: Struts Users Mailing List
> Subject: Re: Struts security/validation
>
>
> On Wed, 11 Aug 2004 14:45:05 +0100, James Adams
> <[EMAIL PROTECTED]> wrote:
> > Hello all,
> >
> > I'm in the process of trying to secure my struts
> application against "Cross site scripting", "SQL injection"
> style attacks.
> >
> > One of the things I'm doing to prevent this is trying to
> restrict special characters (;.<>(){}...etc) getting beyond
> the validator.
> >
>
> Just thinking out loud for a moment ...
>
> Cross site scripting attacks don't happen when sensitive characters
> are inside an *input* field. The problem comes if you *output* the
> data without filtering for them. That's why the Struts
> tag, for example, filters "<", ">", "&", and ";" for you unless you
> explicitly tell it not to, so if you are diligent about how you copy
> your database data to output pages, you can safely accept these kinds
> of character in input.
>
> I notice that Kishore Senji (one of the other respondents in this
> thread) is using Google's Gmail, just as I am at the moment. Since
> this is a web application, it's a good thing that Googe isn't
> disallowing the magic characters on input into a textarea, or else we
> would not be able to participate in this conversation :-).
>
> Is filtering input really the appropriate strategy for dealing with
> this problem? If successful it will certainly help, but the approach
> strikes me as overly restrictive for most application needs.
It can be appropriate, you might eventually need to turn off that filtering. It may
be possible to legitametley allow such characters. The immediate example I can think
of is content management. You could jump through hoops ( ex. Wiki's) to not use html
to mark up the input but why?
If you do it on input, you definitiely need more then just grepping on characters, you
need to look at what the content is. Looking for a
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special characters
> (;.<>(){}...etc) getting beyond the validator.
>
Just thinking out loud for a moment ...
Cross site scripting attacks don't happen when sensitive characters
are inside an *input* field. The problem comes if you *output* the
data without filtering for them. That's why the Struts
tag, for example, filters "<", ">", "&", and ";" for you unless you
explicitly tell it not to, so if you are diligent about how you copy
your database data to output pages, you can safely accept these kinds
of character in input.
I notice that Kishore Senji (one of the other respondents in this
thread) is using Google's Gmail, just as I am at the moment. Since
this is a web application, it's a good thing that Googe isn't
disallowing the magic characters on input into a textarea, or else we
would not be able to participate in this conversation :-).
Is filtering input really the appropriate strategy for dealing with
this problem? If successful it will certainly help, but the approach
strikes me as overly restrictive for most application needs.
Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts security/validation
> -Original Message-
> From: James Adams [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 6:45 AM
> To: Struts Users Mailing List
> Subject: Struts security/validation
>
>
> Hello all,
>
> I'm in the process of trying to secure my struts application
> against "Cross site scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to
> restrict special characters (;.<>(){}...etc) getting beyond
Semicolon and period are perflecty legitimate for a textarea input. I use a filter,
that goes through the parameters looking for select.*from.* for a quick check, then
do a second more detailed look before rejecting for a security violation. I do the
same thing for insert and update as well, as seperate checks, which gives me some idea
how far into the attack they've gotten.
I would also do the same thing for a cross site scripting attack, if I had a check for
it.. actually look for keywords before flagging antyhing. Since I do a lot of
internal web apps, I'm not as concerned about this as I would be if I had external
sites.
> the validator.
>
> At the moment I'm using the validator plugin, within my
> validation.xml I use the "mask" validator with the regular expression;
>
> .
> mask
>
> ^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$
>
> .
>
>
>
> 1. Does anyone know the syntax for also preventing < > &
> within the regular expression bearing in mind its declared in XML?
>
> Or is there some kind of default validator that does this?
>
>
>
> 2. Some of my action functions also take input in the url as
> a GET which does not go through the Validator, this is then
> used to access a DB, these also need to be secured.
> Obviously I can do this within each individual Action class,
> but where would be the best single place I could stop
> characters like < > ; & ever getting as far as the Action classes?
>
> Any other suggestions would be much appreciated, as I
> couldn't find very much related to securing struts applications
>
> many thanks in advance
>
> regards
>
> James
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts security/validation
On Wed, 11 Aug 2004 14:45:05 +0100, James Adams <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I'm in the process of trying to secure my struts application against "Cross site
> scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to restrict special characters
> (;.<>(){}...etc) getting beyond the validator.
>
> At the moment I'm using the validator plugin, within my validation.xml I use the
> "mask" validator with the regular expression;
>
> ..
> mask
>
> ^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$
>
> ..
>
> 1. Does anyone know the syntax for also preventing < > & within the regular
> expression bearing in mind its declared in XML?
In your regexp, you can specify "<" & ">" entities as "<" and
">" respectively.
>
> Or is there some kind of default validator that does this?
>
> 2. Some of my action functions also take input in the url as a GET which does not go
> through the Validator, this is then used to access a DB, these also need to be
> secured. Obviously I can do this within each individual Action class, but where
> would be the best single place I could stop characters like < > ; & ever getting as
> far as the Action classes?
>
1) You can use a strategy similar to the one described in the below url
http://wiki.apache.org/struts/StrutsCatalogBaseAction
OR
2) You can also define a custom RequestProcessor and override
processPreprocess(HttpServletRequest request, HttpServletResponse
response).
> Any other suggestions would be much appreciated, as I couldn't find very much
> related to securing struts applications
>
> many thanks in advance
>
> regards
>
> James
>
>
Kishore Senji.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Struts security/validation
Hello all,
I'm in the process of trying to secure my struts application against "Cross site
scripting", "SQL injection" style attacks.
One of the things I'm doing to prevent this is trying to restrict special characters
(;.<>(){}...etc) getting beyond the validator.
At the moment I'm using the validator plugin, within my validation.xml I use the
"mask" validator with the regular expression;
.
mask
^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$
.
1. Does anyone know the syntax for also preventing < > & within the regular expression
bearing in mind its declared in XML?
Or is there some kind of default validator that does this?
2. Some of my action functions also take input in the url as a GET which does not go
through the Validator, this is then used to access a DB, these also need to be
secured. Obviously I can do this within each individual Action class, but where would
be the best single place I could stop characters like < > ; & ever getting as far as
the Action classes?
Any other suggestions would be much appreciated, as I couldn't find very much related
to securing struts applications
many thanks in advance
regards
James
