WebApp Sec mailing list archives
Re: Data sanitization approaches in Java
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Sun, 16 Jan 2005 09:11:18 -0500
Ben,I did a presentation at last year's OWASP AppSec conference on this subject. There's a link to the presentations on the conference page (http://www.owasp.org/conferences/appsec2004nyc.html).
Essentially, the approaches range from completely external (deep packet inspection/web app firewall), to web server plugin (modsecurity) to J2EE filter, to a common validation library, to just doing it everywhere in your code. There are advantages and disadvantages to all of them, although I find the J2EE filter approach to be the most flexible.
Also, I noticed that you use the word "sanitization" -- did you mean actually modifying the input data? This is a little tricky in J2EE, although possible. If that's what you're after, let me know.
Oh, and URL encoding is really not a very good idea. Many interpreters just decode URL encoding automatically. HTML entity encoded data (< > ") is generally not interpreted. There's not an HtmlEntityEncoder built into J2EE, so you'll have to roll your own. I could post one if there's interest.
--Jeff Jeff Williams, CEO Aspect Security, Inc. http://www.aspectsecurity.com----- Original Message ----- From: "Benjamin Livshits" <livshits () cs stanford edu>
To: <webappsec () securityfocus com> Sent: Friday, January 14, 2005 4:20 PM Subject: Data sanitization approaches in Java
I was wondering about data sanitization strategies commonly used in today's Web applications, especially those written using J2EE. I am aware of libraries that would simplify the sanitization process for you, however, I haven't really seen many applications that use anything more sophisticated than URL-encoding the user-supplied string data. Are there some common sanitization strategies that people actually use in their code on a regular basis? Thanks in advance, -Ben
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)