Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to configure Spring Controller and/or JAXB to help prevent SQL / XSS injection

Tags:

java

spring

xml

xss

jaxb

I have a Controller in Spring with a method like the following

@RequestMapping(value = "/v1/something", method = RequestMethod.POST, headers = "content-type=application/xml")
@Valid
public void something(@RequestBody final SomeBody myDto  . . . . .

I want to be sure that the Request Body does not contain any SQL or Javascript characters to help avoid SQL Injection, XSS attacks etc.

Does JAXB already handle that scenario? I was considering writing a filter but I can only read the request body once?

Any suggestions?

like image 543
kellyfj Avatar asked May 06 '13 19:05

kellyfj

People also ask

Does spring prevent SQL injection?

In general, in most cases, preventing a Java SQL injection is the same as preventing a Spring Boot SQL injection. As stated above, an SQL injection is basically an attack that incorporates special control characters into a valid input for malicious intents.

1 Answers

Proper XSS and SQL injection protection (and data validation in general) can only happen on the server side. Client side validation is irrelevant as a malicious user can just write their own client or send custom HTTP request. Client side validation is only useful to notify non-malicious users of form validations without a server round trip (ex: verify that a field is a number or email address). Even in that situation the server must also perform the validation.

To prevent SQL injection use bind variables (eg prepared statements) for all parameterized queries. You should never have to concatenate client inputs to generate a SQL statement. If you never generate SQL statements from client input and only use them as bind variables you don't have to worry about SQL injection at all.

String clientValue = ...
Connection conn = ...
PreparedStatement stmt = conn.prepare("INSERT INTO foobar VALUES (?)");
stmt.setString(clientValue);
stmt.executeUpdate();

Or with Spring JDBC:

String clientValue = ...
JdbcTemplate jdbcTemplate = ...
jdbcTemplate.update("INSERT INTO foobar VALUES (?)", clientValue);

To prevent XSS make sure to sanitize all data before you output it. White-listing client data when it is saved is generally a good idea too if you have an explicit subset of acceptable text but it becomes more complicated when you factor in Unicode support. It's generally much easier to just deal with it on the rendering side.

For example if you are using JSTL to render your output you would use something like:

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
${fn:escapeXml(myModelVariable)}
like image 56
sehrope Avatar answered Oct 11 '22 09:10

sehrope
Sign in to Comment

Related questions

Variable declaration in if clause
How to stop the timer after certain time?
regular expression goes into infinite loop
Apache Camel enrich message with file content on request
Intercept JDBC Connection
When time zone of China it goes, work as good Java will not?
JAX-WS has XSD schema in different URL
Checking at runtime if a class has a specific constructor that is using generics
Reproduce tcp CLOSE_WAIT state with java client/server
System.out.println function syntax in C++
Types of encryption available in Java?
Create Java on Oracle database with JDBC
converting Object [] to double [] in java
Filling my arrays with random numbers?
Dynamically load jar in groovy
Using for loop to get the Hamming distance between 2 strings
list all column names which are updated
Is int.class.isInstance(Object) a contradiction?
jmonkeyengine movement too fast for collision detection
Implementing a Simple HTTPS Proxy Application with Java?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!