Home/ Questions/Q 8625065
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T07:41:22+00:00

I have a Jersey app that has been run through our corporations website vulnerability

  • 0

I have a Jersey app that has been run through our corporations website vulnerability tool. It came back with a vulnerability that is quite odd. If you send in this header:

"*/*'"!@$^*\/:;.,?{}[]`~-_<sCrIpT>alert(81363)</sCrIpT>"

You get an error message back in the BODY from jersey:

The HTTP header field "Accept" with value "*/*'"!@$^*\/:;.,?{}[]`~-_<sCrIpT>alert(56224)</sCrIpT>" could not be parsed.

This is not acceptable to our Security Team. It does come back as “text/plain” which is correct and all, but I need to change the message. Any way to do this?

This is running on Tomcat and I am using Jersey 1.14.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is from Pavel on the Jersey team:

    You should be able to purge the entity from your servlet filter, or you can register ContainerResponseFilter in Jersey, something like:

    public class PurgeErrorEntityResponseFilter implements ContainerResponseFilter {
    @Override
    public ContainerResponse filter(ContainerRequest request, ContainerResponse response) {
        if(response.getStatus() == 400) {
            response.setEntity(null);
        }
        return response;
    }
}

    and web.xml:

     <init-param>
       <param-name>com.sun.jersey.spi.container.ContainerResponseFilters</param-name>
       <param-value>x.y.z.PurgeErrorEntityResponseFilter</param-value>
   </init-param>

    This worked for me. I did this:

    response.setEntity(StringEscapeUtils.escapeHtml(response.getEntity().toString()));

    and it escaped the error message. Thanks Pavel!

    • 0