Prevent XSS attempts on a Tomcat/Struts 1 web application (without source code) | ansaurus

tags:

views:

444

answers:

1

+1 Q:

Prevent XSS attempts on a Tomcat/Struts 1 web application (without source code)

A 3rd party web application has a cross-scripting security issue. There is one page with three fields which are not sanitized. The vendor will not provide a timely fix and I need to.

The application is running in Tomcat and uses Struts 1. The action for the bad page looks like this:

<action
  path="/badpage"
  type="com.badvendor.BadAction"
  name="badForm"
  scope="request"
  validate="true"
  input="/otherbadpage.do">
  <forward name="failure" path="/otherbadpage.do"/>
  <forward name="success" path="/otherbadpage.do"/>
</action>

I do not have the source code for the action class.

What is the easiest way to get between the request and the action to sanitize the input (or even just cause an error on bad input)?

+2 A:

You can:

Change the mapping to point to a different action (yours). Forward control to the action in question after sanitizing input.
Write a servlet filter to intercept that particular URI.

ChssPly76 2009-09-04 20:17:17

related questions

Java Time Zone is messed up

Eclipse on win64

Automate builds for Java RCP for deployment with JNLP

Why are professors or schools picking Java over C++ to teach to students?

Is there a real benefit of using J#?

Public/Popular Websites using JavaServer Faces

Why can't I use a try block around my super() call?

Accessing post variables using Java Servlets

Personal Linux web server

Is this really widening vs autoboxing?

How can I Java webstart multiple, dependent, native libraries?

Why can't I call toString() on a Java primitive?

How do I use Java to read from a file that is actively being written?

What code analysis tools do you use for your Java projects?

IllegalArgumentException or NullPointerException for a null parameter?

How do I configure and communicate with a serial port?

What is the best way to parse strings in Java

Getting started with a custom JXTA PeerGroup

Creating a custom button in Java

How to get started "writing" a code coverage tool?

Which Build-/Configuration Management Tool?

What is the difference between an int and an Integer in Java/C#?

What is the meaning of the type safety warning in certain Java generics casts?

How would you access Object properties from within an object method?

Converting CSV File to XML in Java