URL Input Validation on AS Java (SAP-Bibliothek

URL Input Validation on AS Java

Besides output encoding, which is the most effective way to protect Web applications against XSS, there is the possibility to validate the input instead of output encoding.

Hinweis

Input or data validation does not mean input encoding. Input encoding must be prevented in any case, and if available it must be removed because it leads to situations where it is unclear if the data is already encoded. Web servers should always decode the content once and Web clients should always encode the content once. Most often, input encoding leads to situations where the content is encoded twice. The data validation allows write data to Web clients without output encoding.

Situations where sanitizing could solve problems are the contexts with ...NEVER PUT UNTRUSTED DATA HERE..., which are described in the examples in the previous topics.

Empfehlung

We also recommend using whitelist filtering to further increase protection.

URL Validation

The class URLChecker with the static method isValid() performs a syntax check of the URL and throws an exception if there are characters or sequences (for example, <script ) in the URL.

For more information, see the Javadocs for the package com.sap.security.core.server.csi at http://help.sap.com/javadocs for SAP NetWeaver <Release> → Composition Environment → Security.

Path / URL Path Normalization

Normalization of a path means validation and removal of path traversals.

Beispiel

Example:

http://www.server.com/path1/path2/../.././././etc/passwd
=>
http://www.server.com/etc/passwd

For AS Java, use the methods pathNormalization() and urlNormalization() in the class Canonicalization.

For more information, see the Javadocs for the package com.sap.security.core.server.csi at http://help.sap.com/javadocs for SAP NetWeaver <Release> → Composition Environment → Security.