Re: Data sanitization approaches in Java

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Ben,

I did a presentation at last year's OWASP AppSec conference on this subject. 
There's a link to the presentations on the conference page 
(http://www.owasp.org/conferences/appsec2004nyc.html).

Essentially, the approaches range from completely external (deep packet 
inspection/web app firewall), to web server plugin (modsecurity) to J2EE 
filter, to a common validation library, to just doing it everywhere in your 
code.  There are advantages and disadvantages to all of them, although I 
find the J2EE filter approach to be the most flexible.

Also, I noticed that you use the word "sanitization" -- did you mean 
actually modifying the input data?  This is a little tricky in J2EE, 
although possible.  If that's what you're after, let me know.

Oh, and URL encoding is really not a very good idea.  Many interpreters just 
decode URL encoding automatically.  HTML entity encoded data (< > 
") is generally not interpreted. There's not an HtmlEntityEncoder built 
into J2EE, so you'll have to roll your own. I could post one if there's 
interest.

--Jeff

Jeff Williams, CEO
Aspect Security, Inc.
http://www.aspectsecurity.com

----- Original Message ----- 
From: "Benjamin Livshits" <livshits () cs stanford edu>
To: <webappsec () securityfocus com>
Sent: Friday, January 14, 2005 4:20 PM
Subject: Data sanitization approaches in Java


> I was wondering about data sanitization strategies commonly used in
> today's Web applications, especially those written using J2EE. I am
> aware of libraries that would simplify the sanitization process for you,
> however, I haven't really seen many applications that use anything more
> sophisticated than URL-encoding the user-supplied string data.
>
> Are there some common sanitization strategies that people actually use
> in their code on a regular basis?
>
> Thanks in advance,
> -Ben