How to Modify Request Parameters with a Servlet Filter When Source Code Changes Are Forbidden?
- Patricia ArquetteOriginal
- 2024-11-05 06:21:02227browse
Modify Request Parameter with Servlet Filter
In an existing web application, you're facing an XSS vulnerability and are prohibited from modifying the source code. To address this issue, you intend to utilize a servlet filter to sanitize request parameters before they reach the vulnerable page.
The provided code sample demonstrates your filter class, XssFilter:
<code class="java">import java.io.*;
import javax.servlet.*;
public final class XssFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
String badValue = request.getParameter("dangerousParamName");
String goodValue = sanitize(badValue);
// Unable to modify parameter using request.setParameter
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
}
}</code>
However, you've encountered an obstacle: HttpServletRequest lacks the setParameter method. To overcome this limitation, consider the following approaches:
Using HttpServletRequestWrapper:
Utilize the HttpServletRequestWrapper class to create a wrapper around the original request. You can override the getParameter method to return the sanitized value. Then, pass the wrapped request to chain.doFilter instead of the original.
This approach requires subclassing and wraps the original request, but complies with the servlet API by delegating the filtering to the wrapped request.
Setting Request Attribute:
Alternatively, you can modify the target servlet or JSP to expect a request attribute rather than a request parameter for the dangerous parameter. Your filter can then examine the parameter, sanitize it, and set the request attribute with the sanitized value using request.setAttribute.
This method is more elegant as it avoids subclassing or spoofing, but requires modifications to the application's code to use the request attribute instead of the parameter.
The above is the detailed content of How to Modify Request Parameters with a Servlet Filter When Source Code Changes Are Forbidden?. For more information, please follow other related articles on the PHP Chinese website!