0

I have written a Filter Below is the code.

public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
            throws IOException, ServletException {

HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;

String url = srequest.getRequestURI();
if(url.contains("//What patterns to be checked here?"))
{
 //Invalidate the Session
 //Redirect to error page
}

Am reading the URL formed and want to avoid XSS attacks. So, I want to check in the URL for any patterns which might indicate that it could lead to XSS attack.

Can I get a consolidated list of all patterns that I can check here? For eg.,

url.contains("<script>");
Vikas V
  • 3,176
  • 2
  • 37
  • 60
  • 2
    Related: http://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf/7725675#7725675 This filter attempt is ridiculous. Just don't do that. Just display user-controlled input HTML-escaped (which JSF by default already does). – BalusC Dec 24 '12 at 11:46
  • @BalusC +1 for your answer. Thank you BalusC – Vikas V Dec 24 '12 at 11:59

1 Answers1

7

Wow, DON'T. There's lots of sources that would explain to you why:

  • Black Listing is almost always a bad thing
  • You should not check for XSS on input but, escape output regardless of its source

If you want more info on preventing XSS then go to Owasp xss cheat sheet.

On the other site if you want to add some limited scripting/editing functionality to your web site, you could and should use substitution (like in stackoverflow you don't write <\b> you use ** which is later transformed to appropriate html tags). Or you can use whitelisting, only and only allow text and some of the tags, but it can be tricky and you would have to be very careful.

damiankolasa
  • 1,508
  • 9
  • 8
  • Thanks a lot. "_onlu and only allow text and some of the tags, but it can be tricky and you would have to be very careful._" Can you please elaborate on this ? – Vikas V Dec 24 '12 at 08:56
  • 1
    Because http is a "encodings" world, plus attackers can have some nifty ideas about how to show you that you didn't thought of everything. It's pretty well described in: Hacking Exposed Web Applications, and Innocent Code. I would recomend you those books to get a better grasp of how problematic it can be. – damiankolasa Dec 24 '12 at 09:15