2

How can I change request body in java filter to protect from XSS attack? I build HttpServletRequestWrapper and use getparameter for change body but get stream close exception.

Helping Hands
  • 5,292
  • 9
  • 60
  • 127
Neda Esmaeili
  • 79
  • 1
  • 1
  • 5
  • http://stackoverflow.com/questions/15698381/how-to-perform-output-encoding-using-filter-to-prevent-xss – akgaur Dec 08 '15 at 12:11

2 Answers2

4

XSSFilter.java

public class XSSFilter implements Filter {


@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

    XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
            (HttpServletRequest) request);

    String body = IOUtils.toString(wrappedRequest.getReader());


    if(!"".equals(body))
    {
        JSONObject oldJsonObject = new JSONObject(body);
        JSONObject newJsonObject = new JSONObject();

        for(String key : oldJsonObject.keySet())
        {
            newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
        }
        wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());

    }


    chain.doFilter(wrappedRequest, response);
 }
}

XSSRequestWrapper .java

public class XSSRequestWrapper extends HttpServletRequestWrapper {


private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;

public XSSRequestWrapper(HttpServletRequest request) {
    super(request);
    this.request = request;
    this.servletStream = new ResettableServletInputStream();
}


public void resetInputStream(byte[] newRawData) {
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

@Override
public ServletInputStream getInputStream() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return servletStream;
}

@Override
public BufferedReader getReader() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return new BufferedReader(new InputStreamReader(servletStream));
}

private class ResettableServletInputStream extends ServletInputStream {

    private InputStream stream;

    @Override
    public int read() throws IOException {
        return stream.read();
     }
   }
 }

XSSUtils .java

public class XSSUtils {

private XSSUtils()
{

}

public static String stripXSS(String value) {
    return value == null ? value : escapeHtml4(value);
  }
}
Neda Esmaeili
  • 79
  • 1
  • 1
  • 5
  • Not actually working. Filter is called, but body still the original one, methods getInputStream and getReader, haven't called – Yevgen Kulik Dec 20 '17 at 18:59
0

Since I do not have enough reputation to add a comment, I am adding it as an answer. After 3 years, I found the accepted answer to save me hours. At the same time, I had to fix couple of things, and hence adding...

(1) A bug (missing assignment to rawData)

public void resetInputStream(byte[] newRawData) {
    rawData = newRawData;
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

(2) A change necessitated over time. Reference: HttpServletRequestWrapper, example implementation for setReadListener / isFinished / isReady?

AGan
  • 457
  • 5
  • 12
Suresh Kumar Ramasamy
  • 15
  • 1
  • 3
  • Welcome to StackOverflow! Please take your time and read Help section on [Answering](https://stackoverflow.com/help/answering). "Since I do not have enough reputation to add a comment" - it's not a tragedy, karma will come to you, remember old motto: "lurk more" – Alex Yu Feb 26 '19 at 14:20