Java Reference
In-Depth Information
Another reason for using whitelisting for validation of input is the rise of encoding-based vec-
tors, which are used in injection-based attacks. For instance, XSS vectors encoded in a foreign
language might bypass blacklist regular expressions, which would have been created in the English
language. Something like the attack vector mentioned below would bypass blacklist validation
designed to prevent “<”, “>”:
cscriptTalert(2);c/scriptT
herefore, it is ideal that whitelist validation for diferent input ields of a Web application coupled
with strong output encoding be deployed to protect a Web application from being vulnerable to
injection-based attacks.
10.2.3 Java Implementation for Input Validation and Output Encoding
We will now explore some of the packages, classes, and interfaces that may be used to develop
strong input validation routines using the Java Platform. hey are as follows:
◾
StringEscapeUtils—for output encoding
Regex—for input validation
◾
◾
URLEncode/URLDecode—for output encoding
10.2.3.1
Regex
he new Java platform provides a comprehensive support for regular expressions through the
standard
java.util.regex
package. his package can be used to create regular expressions to
validate input based on a whitelist for every type of user input in the Web application. he core
classes and interfaces of the RegEx package in Java are
MatchResult
interface and
Matcher
and
Pattern
classes.
Regex in Java is all about
Matcher
and
Pattern
. Matcher is essentially an engine that
performs “match” operations on a character sequence by interpreting a pattern.
A matcher is created from a pattern by invoking the pattern's
matcher()
method. Once
created, a matcher instance can be used to perform three diferent kinds of match operations—
matching the entire input sequence against a pattern, matching the input sequence starting at
the beginning against a pattern, and inding next subsequence that matches a given pattern. he
matches()
method attempts to match the entire input sequence against the pattern, whereas the
lookingAt()
method attempts to match the input sequence, starting at the beginning, against
the pattern and the
find()
method scans the input sequence looking for the next subsequence
that matches the pattern. All these pattern-matching methods return a Boolean indicating success
or failure.
here are a number of other utility methods in the matcher class, such as
reset()
,
start()
,
region()
,
regionStart()
,
regionEnd(),
and so on, which help in performing ReGex
operations on the patterns.
10.2.3.2
StringEscapeUtils
he
StringEscapeUtils
class belongs to the
org.apache.commons.lang
package and
helps in providing escapes and unescape strings for not just Java but also JavaScript, HTML, and
Search WWH ::
Custom Search