September 19, 2018
Hot Topics:

Make Your Java Web Applications Impervious to Cross-site Scripting

  • February 22, 2010
  • By Ramasubramanian Thiyagarajan, Vijayasaradhi Paramakusum, Sivakumar Kuppusamy
  • Send Email »
  • More Articles »

Client-Side Protection: Removing Malicious Characters

To help prevent attackers from running cross-site scripts on client side, you can remove malicious characters from request parameters and cookies. The following steps will accomplish this:

  1. Identify malicious characters, such as <, >, (, ), and %, in parameters and cookies.
  2. Filter out the malicious characters from the parameters or cookies.

For example, the following request header for the URL http://www.examplesite/welcome.html?user=siva has cross-site scripting in the parameter 'user'.

   GET /www.examplesite /welcome.html?user=siva>%22%27><img%
   20src%3d%22javascript:alert(66647)%22> HTTP/1.0
   Cookie: JSESSIONID="1658AFD202313272EB979A90E96B3A3D ";
   userLocale=en_US; userTimezone="Asia/Calcutta"
   Accept: */*
   Accept-Language: en-US
   User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:
   Gecko/2008120122 Firefox/3.0.5
   Host: www.examplesite:8180
   Referrer: http://www.examplesite:8180/welcome.html?user=siva

After the user sends the request, the server-side filter will remove all malicious characters from the parameter, avoiding cross-site script execution on client side and thereby sending a secured response to the client.

Filters are processed based on the declared order in their deployment descriptors. So, to declare a filter for the current example, you would place the following filter (crossSite) on top of all other filters in the deployment descriptor (web.xml) of web application.


This filter mapping calls all requests using the URL pattern /*.

A Custom Filter

The custom filter in Listing 1 will remove the untrusted characters from requests and cookies using the HttpServletRequestWrapper class, which is used to wrap the user's request (wrapped request object). Based upon the user's request to get the parameters or cookies, this wrapped request object removes the unsafe characters from the request and returns the response to the client. The wrapped request contains the trusted character for further processing.

Server-Side Protection: Implementing the Filter

The following steps implement the server-side filter in your web application.

  1. Add the compiled RequestFilter class in the WEB-INF/classes folder of the web application.
  2. Add the filter declaration in the deployment descriptor (web.xml).

With the techniques you have learned here (client-side validation and server-side filtering), you are ready to combat cross-site scripting in your Java-based web applications.

About the Authors

Sivakumar Kuppusamy is a product technical lead with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Ramasubramanian Thiyagarajan is a technology analyst with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Vijayasaradhi Paramakusum is a technology lead with product incubation engineering at Infosys, involved in the design and development of Java EE applications.

Page 2 of 2

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.

Thanks for your registration, follow us on our social networks to keep up-to-date