Search code examples
securityplayframeworkxsstampering

Cross-Site Scripting and Web Parameter Tampering prevention in Playframework

After launching our first public alpha release of http://wwww.trademango.com which is built with Play framework. I have been experience Web Parameter Tampering attempts being made by someone or something (i.e bots). These attempts has been going on for a while now. We are looking into boosting our security. I was wondering if someone has experience integrating tools like owsap with Playframework. I will like to get some community feedback on what other people are doing against such attacks.

Below are few Web Parameter Tampering attempt in action:


    @69mkklokf
    Internal Server Error (500) for request GET /supplier/:q/:page?q=:supplierUUID

    Execution exception (In {module:common-model}/app/models/services/ID.java around line 46)
    NumberFormatException occured : For input string: ""

    play.exceptions.JavaExecutionException: For input string: ""
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:231)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.NumberFormatException: For input string: ""
        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
        at java.lang.Long.parseLong(Long.java:450)
        at java.lang.Long.valueOf(Long.java:508)
        at models.services.ID.base36ToUUID(ID.java:46)
        at controllers.Application.supplier(Application.java:177)
        at play.mvc.ActionInvoker.invokeWithContinuation(ActionInvoker.java:548)
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:502)
        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:478)
        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:473)
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:161)
        ... 1 more
    22 Mar 2012 07:20:57,270 ERROR play:570 - 

    @69mkklokg
    phpmyadmin.translators.html action not found

    Action not found
    Action phpmyadmin.translators.html could not be found. Error raised is Controller controllers.phpmyadmin.translators not found

    play.exceptions.ActionNotFoundException: Action phpmyadmin.translators.html not found
        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)
        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.phpmyadmin.translators not found
        ... 3 more
    22 Mar 2012 10:13:16,611 ERROR play:570 - 

    @69mkklokh
    nice ports,.Trinity.txt.bak action not found

    Action not found
    Action nice ports,.Trinity.txt.bak could not be found. Error raised is Controller controllers.nice ports,.Trinity.txt not found

    play.exceptions.ActionNotFoundException: Action nice ports,.Trinity.txt.bak not found
        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)
        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.nice ports,.Trinity.txt not found
        ... 3 more
Solution

  • I would suggest removing the 'catch all' route

    # Catch all  
*       /{controller}/{action}                  {controller}.{action}

    Remove this, and have explicit mappings to all your controllers and actions.