1

A 3rd party web application has a cross-scripting security issue. There is one page with three fields which are not sanitized. The vendor will not provide a timely fix and I need to.

The application is running in Tomcat and uses Struts 1. The action for the bad page looks like this:

<action
  path="/badpage"
  type="com.badvendor.BadAction"
  name="badForm"
  scope="request"
  validate="true"
  input="/otherbadpage.do">
  <forward name="failure" path="/otherbadpage.do"/>
  <forward name="success" path="/otherbadpage.do"/>
</action>

I do not have the source code for the action class.

What is the easiest way to get between the request and the action to sanitize the input (or even just cause an error on bad input)?

Improve this question
4
  • It might be easiest to solve this without writing code. Is there a way to add validation rules with configuration files only?
    – Jeremy Stein
    Commented Sep 4, 2009 at 20:28
  • @Jeremy - is this app using Struts Validator? (struts.apache.org/1.3.10/faqs/validator.html) If so, yes, you may be able to add validation rules without changing java code
    – ChssPly76
    Commented Sep 4, 2009 at 20:38
  • @ChssPly76 - No, it's not, but can't I just enable it? Or would there have to be code support?
    – Jeremy Stein
    Commented Sep 4, 2009 at 20:43
  • The form in question would have to extend ValidatorForm in order for this to work.
    – ChssPly76
    Commented Sep 4, 2009 at 20:54

1 Answer 1

Reset to default
2

You can:

  1. Change the mapping to point to a different action (yours). Forward control to the action in question after sanitizing input.
  2. Write a servlet filter to intercept that particular URI.
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.