AntiSQLFilter   SourceForge.net Logo
english | portuguese
by SmartWare  
   
 
      HOME       
 
     HOW TO     
 
   DOWNLOAD   
 
 @SourceForge 
 
       LINKS       
 
 
 
 
 
 
 
 
 
 
 
 

1. Classpath

The AntiSQLFilter jar file must be present at your web application classpath
(i.e.: [my-webapp directory | my war file]/WEB-INF/lib)

2. web.xml

Your web.xml file must configure AntiSQLFilter:

...

<filter>
  <filter-name>antiSQL</filter-name>
  <filter-class>org.smartware.antisql.AntiSQLFilter</filter-class>
  <init-param>
    <param-name>logging</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>behavior</param-name>
    <param-value>forward</param-value>
  </init-param>
  <init-param>
    <param-name>forwardTo</param-name>
    <param-value>/noWay.jsp</param-value>
  </init-param>
</filter>

<filter-mapping>
   <filter-name>antiSQL</filter-name>
   <url-pattern>*.do</url-pattern>
</filter-mapping> <listener>

...

<servlet>
   <servlet-name>myServlet</servlet-name>
   <servlet-class>test.MyServlet</servlet-class>
</servlet>

<servlet-mapping>
   <servlet-name>myServlet</servlet-name>
   <url-pattern>myServlet.do</url-pattern>
</servlet-mapping>

...

About initial parameters:

a) logging = true - ServletContext log method will be called to register any SQL Injection attempt - like this:

Possible SQL injection attempt #1 at Mon Aug 29 20:17:03 BRT 2005
Remote Address: 127.0.0.1
Remote User: null
Session Id: B66B7EB264DB1FB67748B4B595D0395F
URI: /virtual-store/login.do
Parameters via POST
  password = 567567567
  Submit = enter
  email = ' and 0=0; --

b) behavior = forward - the request will be forwarded by the filter to a specific resource in case of a SQL Injection. There are two other possible behaviors to configure

behavior = protect - (the default behavior) dangerous SQL keywords are 2nd character supressed / dangerous SQL delimitters are blank space replaced. Afterwards the request flows as expected.

behavior = throw - a ServletException is thrown - breaking the request flow.

c) forwardTo : the resource to forward to.

J2EE Filter issues:

a) We recommend you to configure AntiSQLFilter as the 1st application filter - Previous filters are able to bypass the filter chain avoiding AntiSQLFilter job.

b) You can configure as many <filter-mapping> elements you want for the same AntiSQLFilter <filter-name> element - that´s the way to catch request multiple resources patterns (*.jsp). Of course the /* url-pattern can be used.

4. Deploy

Deploy your web application as usual

5. Test

The following SQL delimiters / keywords are detected by AntiSQLFilter - use them in your regular URLs and HTML forms to test your configuration (watch your ServletContext log file):

  • ;
  • "
  • '
  • /*
  • */
  • --
  • exec
  • select
  • update
  • delete
  • insert
  • alter
  • drop
  • create
  • shutdown