> -----Original Message-----
> From: James Adams [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 11, 2004 6:45 AM
> To: Struts Users Mailing List
> Subject: Struts security/validation
>
>
> Hello all,
>
> I'm in the process of trying to secure my struts application
> against "Cross site scripting", "SQL injection" style attacks.
>
> One of the things I'm doing to prevent this is trying to
> restrict special characters (;.<>(){}...etc) getting beyond
Semicolon and period are perflecty legitimate for a textarea input. I use a filter,
that goes through the parameters looking for select.*from.* for a quick check, then
do a second more detailed look before rejecting for a security violation. I do the
same thing for insert and update as well, as seperate checks, which gives me some idea
how far into the attack they've gotten.
I would also do the same thing for a cross site scripting attack, if I had a check for
it.. actually look for keywords before flagging antyhing. Since I do a lot of
internal web apps, I'm not as concerned about this as I would be if I had external
sites.
> the validator.
>
> At the moment I'm using the validator plugin, within my
> validation.xml I use the "mask" validator with the regular expression;
>
> .....
> <var-name>mask</var-name>
>
> <var-value>^[^;"'\.\^\$\*\+\?\{\}\[\]\\\|\(\)]+$</var-value>
>
> .....
>
>
>
> 1. Does anyone know the syntax for also preventing < > &
> within the regular expression bearing in mind its declared in XML?
>
> Or is there some kind of default validator that does this?
>
>
>
> 2. Some of my action functions also take input in the url as
> a GET which does not go through the Validator, this is then
> used to access a DB, these also need to be secured.
> Obviously I can do this within each individual Action class,
> but where would be the best single place I could stop
> characters like < > ; & ever getting as far as the Action classes?
>
> Any other suggestions would be much appreciated, as I
> couldn't find very much related to securing struts applications
>
> many thanks in advance
>
> regards
>
> James
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
