|
Page 1 of 2 The BadInputFilterValve.java described in the book Tomcat: The Definitive Guide by Jason Brittain & Ian F. Darwin is described to “Filters out bad user input from HTTP requests to avoid malicious attacks including Cross Site Scripting (XSS), SQL Injection, and HTML Injection vulnerabilities, among others.
This Valve performs mainly two things:
1/ Check if any denied & allowed characters. If OK continue with step 2 below.
2/ If step 1 above was OK perform a string substitution. To install the BadInputFilterValve in Tomcat you copy the class to $CATALINA_HOME/server/classes and then restart Tomcat. To activate the BadInputFilterValve for an application, put a context.xml file in your war’s META-INF directory. The context.xml must have at least an allow or deny parameter to perform a check for illegal charaters. Example #1
The specified characters are disallowed. A so called black list: <Context>
<Valve className="mypkg.BadInputFilterValve" deny="\x00,\x04,\x08,\x0a,\x0d"/>
</Context> Example #2 a so called white list. Only the letters a,b & c are allowed in parameters (name & value): <Context>
<Valve className="mypkg.BadInputFilterValve" allow="a,b,c"/>
</Context> There are a number of parameters beside the allow and deny you can set in context.xml: escapeQuotes escapeAngleBrackets escapeJavaScript
Example: <Context>
<Valve className="mypkg.BadInputFilterValve" escapeQuotes="false" escapeAngleBrackets="false" escapeJavaScript="false" allow="a,b,c"/>
</Context> An HTTP response code 403 (SC_FORBIDDEN) is sent if disallowed characters are found. To test the valve you start Tomcat with the valve in the server classloader and edit the applications context.xml according to your needs and access a apge with parameters: http://localhost:8080/test.jsp?test=%3Cscript%3Ealert(’xss’)%3C/script%3E
|
