Validating webservice parameters for XSS attack - Axis2, Java
Question
We have a webservice which saves data and presents the same on the User interface for viewing the transactions. Now, my requirement is to validate all the input parameters in the web service request to make sure that vulnerable content is not shown on UI. I am looking for solutions to validate input params in the web service request, before it is saved to database.
Some of the solutions that I have are below:
- Use Java Filter along with any parser API - Dom or SAX etc and validate all the input parameters. But, this approach might create lot of burden on the server. Dom and SAX parser
- Before saving the data into our database, validate each parameter from java object and if any of them fails, fail the transaction. This looks fine, but kind of maintenance overhead as and when we add a new service.
Are there any API or jars which can be integrated with axis2 or java which takes care of validating the request params rather than doing it manually?
Please suggest what is the best way.
Thanks, Harika
1 answers
solution1
0 2014-11-19 07:27:39
As you mentioned approach 2 is the ideal one and you can use Apache Commons Lang library's StringEscapeUtils which has methods escapeHtml , escapeJavascript and escapeXml which can eliminate Front end code before saving it into the database.
This will prevent XSS but can not guarantee SQL Injection prevention.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.