On GET request how can request parameter be scanned for any security vulnerability.
@RequestMapping(value = "/XX/YYY", method = {RequestMethod.GET, RequestMethod.HEAD})
public String myCustomMethod(Model model, HttpServletRequest request, HttpServletResponse response,
@RequestParam(value = "a", required = false) String a,
@RequestParam(value = "b", required = false) String b)
{
}
In this code sample I want to check if parameter a/b is infected with something like //"< i f r a m e src="http://www.goal.com/?"> .
The prevention I use is to encode the untrusted input before adding to output as suggested by OWASP, the Open Web Application Security Project.
I use their ESAPI library. Find here links to
Once you have included the library, locate the ESAPI.properties
and validation.properties
files in the configuration/.esapi
directory and copy them to your project's root (if you are using maven, src/main/resources
). Those files are specifying the strategy for validation and encoding; I'm usually good with the defaults.
You can then use the encoder like this:
Encoder encoder = ESAPI.encoder();
String aSafe = encoder.encodeForHTML(a);
String bSafe = encoder.encodeForHTML(b);