> -----Original Message----- > From: James Adams [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 11, 2004 6:45 AM > To: Struts Users Mailing List > Subject: Struts security/validation > > > Hello all, > > I'm in the process of trying to secure my struts application > against "Cross site scripting", "SQL injection" style attacks. > > One of the things I'm doing to prevent this is trying to > restrict special characters (;.<>(){}...etc) getting beyond
Semicolon and period are perflecty legitimate for a textarea input. I use a filter, that goes through the parameters looking for select.*from.* for a quick check, then do a second more detailed look before rejecting for a security violation. I do the same thing for insert and update as well, as seperate checks, which gives me some idea how far into the attack they've gotten. I would also do the same thing for a cross site scripting attack, if I had a check for it.. actually look for keywords before flagging antyhing. Since I do a lot of internal web apps, I'm not as concerned about this as I would be if I had external sites. > the validator. > > At the moment I'm using the validator plugin, within my > validation.xml I use the "mask" validator with the regular expression; > > ..... > <var-name>mask</var-name> > > <var-value>^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$</var-value> > > ..... > > > > 1. Does anyone know the syntax for also preventing < > & > within the regular expression bearing in mind its declared in XML? > > Or is there some kind of default validator that does this? > > > > 2. Some of my action functions also take input in the url as > a GET which does not go through the Validator, this is then > used to access a DB, these also need to be secured. > Obviously I can do this within each individual Action class, > but where would be the best single place I could stop > characters like < > ; & ever getting as far as the Action classes? > > Any other suggestions would be much appreciated, as I > couldn't find very much related to securing struts applications > > many thanks in advance > > regards > > James > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]