File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Struts and the fly likes Struts XSS and SQL Injection vulnerabilities Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts XSS and SQL Injection vulnerabilities" Watch "Struts XSS and SQL Injection vulnerabilities" New topic
Author

Struts XSS and SQL Injection vulnerabilities

Rajan Vij
Greenhorn

Joined: Mar 13, 2009
Posts: 2
Hi All,

Does anyone there knows how struts handle XSS and SQL Injection vulnerabilities.
I mean what are the classes which handle these vulnerabilities.
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30138
    
150

It's a design change not a class you just call.

SQL Injection - make sure you are always using prepared statements and passing in all user values via parameters

XSS - make sure you are escaping user content on submission or on rendering. Struts does provide some protection in their tags. I recall seeing it extended, so I don't know how complete it is.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Rajan Vij
Greenhorn

Joined: Mar 13, 2009
Posts: 2
Is tags the only way to avoid XSS ?

I have implimented a filter using that I have escaped the user content from the request and I have also used prepared and callable stmts to avoid SQL Injection.

But filters reduces the performance and so just wanted to know how it has been implemented in struts releases where they have taken care of such vulnerabilities. So that I could use a performance based code.



Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30138
    
150

It's not the filter reducing the performance; it's the search/replace. Any solution is going to need to do that. Luckily, it reduces the performance by such a tiny percentage compared to the database call that it's a non-issue.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts XSS and SQL Injection vulnerabilities
 
Similar Threads
security
Struts' Security Extension
Securing web application before releasing
J2EE application vulnerabilities list
Struts' Security Extension