0

I have a scenario where i have to encrypt or protect integer.

For Example 

//scriplet code
    <% int userId = request.getParameter("sid"); 
    ...%>

<input type = hidden name = "userID" value = "<%= userId %>" />

Any idea how can i encrypt integer or can i raise false positive in above code.

Please help as i have stucked up very badly.

MiniSu
  • 566
  • 1
  • 6
  • 22

1 Answers1

1

If this is just about XSS then you should get away with either one of these (but ideally both):

  1. Input validation
  2. Output encoding

See for a more thorough explanation for example: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

OUTPUT ENCODING:

JSP Standard Tag Library has some useful functions, see this answer: XSS prevention in JSP/Servlet web application

For plain Servlet code you could for example use this Open Source library for the output encoding:

https://owasp.org/owasp-java-encoder/encoder/apidocs/org/owasp/encoder/Encode.html

INPUT VALIDATION:

For the input validation you should for example check:

  1. Is it really an integer? https://docs.oracle.com/javase/7/docs/api/java/lang/Integer.html#parseInt(java.lang.String,%20int)
  2. Is it within the expected limits? (between min and max value?)
JohannesB
  • 2,214
  • 1
  • 11
  • 18