Java Web Application Security – XSS Combat Part 2


A previous post from last year introduced a grand project that I was about to begin. After much analysis and searching I found a great solution that would secure my Java (JEE) application against XSS and SQLi attacks.

OWASP – The Open Web Application Security Project offers the Enterprise Security API
in order to aid me in my endeavor to make my application more robust and immune to the constant hacker threats that exist out there in cyberspace.

First, download the appropriate download for your web application architecture. Here we will show the example in Java.


Here we have downloaded the esapi-2.0.1-dist zip archive. The built esapi-2.0.1.jar is ready to be placed in our own web application. Also, grab the basic properties files that are needed in order to get basic ESAPI security service running within your app.
I grabbed mine in the src\test\resources\esapi directory.


Copy the and files as shown above. These should be placed in your java web application classpath.

After placing the jar and properties files in their respective locations of your web app, reload your web application and similar logging should be visible during the deployment process.


Notice, that right out of the box the esapi-2.0.1.jar is attempting to initialize the two properties files that we place in our java app classpath. It seems that ESAPI is smart enough to attempt to locate the properties files in different locations on your computer.

Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\Program Files\Apache Software Foundation\Tomcat\apache-tomcat-7.0.39-GA-8104\bin\
Not found in SystemResource Directory/resourceDirectory: .esapi\
Not found in ‘user.home’ (C:\Users\u0105457) directory: C:\Users\u0105457\esapi\
Loading via file I/O failed. Exception was:
Attempting to load via the classpath.
SUCCESSFULLY LOADED via the CLASSPATH from ‘/ (root)’ using current thread context class loader!

ESAPI looks in the server bin path, the SystemResource directory, the user home directory, and finally was loaded via the classpath. One out of four ain’t bad right?
The same search happens for the file as well.

Now that ESAPI is setup, we can start using it in order to secure our application.
Begin by brushing up on the ESAPI javadocs.

In following posts, we shall dive into configuring and to suit our needs.

Also, we shall get acclimated with the most useful methods to use in our fight against XSS.

See you then…


About javaclaus

Java Programmer, Code master, mountain biker, snowboarder, etc.
This entry was posted in ESAPI, Java, OWASP, Security, SQL Injection, XSS and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s