Ben,
I did a presentation at last year's OWASP AppSec conference on this subject.
There's a link to the presentations on the conference page
(http://www.owasp.org/conferences/appsec2004nyc.html).
Essentially, the approaches range from completely external (deep packet
inspection/web app firewall), to web server plugin (modsecurity) to J2EE
filter, to a common validation library, to just doing it everywhere in your
code. There are advantages and disadvantages to all of them, although I
find the J2EE filter approach to be the most flexible.
Also, I noticed that you use the word "sanitization" -- did you mean
actually modifying the input data? This is a little tricky in J2EE,
although possible. If that's what you're after, let me know.
Oh, and URL encoding is really not a very good idea. Many interpreters just
decode URL encoding automatically. HTML entity encoded data (< >
") is generally not interpreted. There's not an HtmlEntityEncoder built
into J2EE, so you'll have to roll your own. I could post one if there's
interest.
--Jeff
Jeff Williams, CEO
Aspect Security, Inc.
http://www.aspectsecurity.com
----- Original Message -----
From: "Benjamin Livshits" <livshits@cs.stanford.edu>
To: <webappsec@securityfocus.com>
Sent: Friday, January 14, 2005 4:20 PM
Subject: Data sanitization approaches in Java
I was wondering about data sanitization strategies commonly used in
today's Web applications, especially those written using J2EE. I am
aware of libraries that would simplify the sanitization process for you,
however, I haven't really seen many applications that use anything more
sophisticated than URL-encoding the user-supplied string data.
Are there some common sanitization strategies that people actually use
in their code on a regular basis?
Thanks in advance,
-Ben
