Class SecurityWrapper

  • All Implemented Interfaces:
    javax.servlet.Filter

    public class SecurityWrapper
    extends java.lang.Object
    implements javax.servlet.Filter
    This filter wraps the incoming request and outgoing response and overrides many methods with safer versions. Many of the safer versions simply validate parts of the request or response for unwanted characters before allowing the call to complete. Some examples of attacks that use these vectors include request splitting, response splitting, and file download injection. Attackers use techniques like CRLF injection and null byte injection to confuse the parsing of requests and responses.

    Example Configuration #1 (Default Configuration allows /WEB-INF):

     <filter>
        <filter-name>SecurityWrapperDefault</filter-name>
        <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
     </filter>
     

    Example Configuration #2 (Allows /servlet)

     <filter>
        <filter-name>SecurityWrapperForServlet</filter-name>
        <filter-class>org.owasp.filters.SecurityWrapper</filter-class>
        <init-param>
           <param-name>allowableResourceRoot</param-name>
           <param-value>/servlet</param-value>
        </init-param>
     </filter>
     
    Author:
    Chris Schmidt (chrisisbeef@gmail.com)
    • Constructor Summary

      Constructors 
      Constructor Description
      SecurityWrapper()  
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void destroy()  
      void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)  
      void init​(javax.servlet.FilterConfig filterConfig)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • SecurityWrapper

        public SecurityWrapper()
    • Method Detail

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                             javax.servlet.ServletResponse response,
                             javax.servlet.FilterChain chain)
                      throws java.io.IOException,
                             javax.servlet.ServletException
        Specified by:
        doFilter in interface javax.servlet.Filter
        Parameters:
        request -
        response -
        chain -
        Throws:
        java.io.IOException
        javax.servlet.ServletException
      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter
      • init

        public void init​(javax.servlet.FilterConfig filterConfig)
                  throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
        Parameters:
        filterConfig -
        Throws:
        javax.servlet.ServletException