I am trying to prevent directory traversal attack on my jsp. As well as sanitising the URL parameters, I want to not expose the directory structure altogether. Is there a way for me to hide/alter the path that the user sees and also in the source code properly?
Asked
Active
Viewed 354 times
1 Answers
0
One approach is to place your JSPs under the WEB-INF folder. The servlet engine will restrict direct access to any files under the WEB-INF folder, which achieves your goal.
To be able to use this approach, all your links and form actions should map to servlets or a similar component in the framework you're using (e.g. actions in Struts, controllers in Spring MVC, etc.). You cannot expose direct links to JSP pages (which is a bad idea anyway).
For example, if you're using Spring MVC, the link will point to a URL which is mapped to a Controller. The controller will retrieve the data required to be displayed on the JSP and then forwards to the JSP (using the appropriate Spring MVC approach).
HTH
tnabil
- 29
- 6
-
so you're saying just use a button instead of `here` ? – obsessiveCookie Aug 30 '13 at 10:26
-
Can you please give me an example? – obsessiveCookie Aug 30 '13 at 11:02
-
The example would be specific to the web framework you're using. Are you using Struts or Spring MVC? – tnabil Aug 30 '13 at 11:12