
Cross-Site Scripting and Web Parameter Tampering prevention in Playframework

After launching our first public alpha release of which is built with Play framework. I have been experience Web Parameter Tampering attempts being made by someone or something (i.e bots). These attempts has been going on for a while now. We are looking into boosting our security. I was wondering if someone has experience integrating tools like owsap with Playframework. I will like to get some community feedback on what other people are doing against such attacks.

Below are few Web Parameter Tampering attempt in action:

    Internal Server Error (500) for request GET /supplier/:q/:page?q=:supplierUUID

    Execution exception (In {module:common-model}/app/models/services/ around line 46)
    NumberFormatException occured : For input string: ""

    play.exceptions.JavaExecutionException: For input string: ""
        at play.mvc.ActionInvoker.invoke(
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.NumberFormatException: For input string: ""
        at java.lang.NumberFormatException.forInputString(
        at java.lang.Long.parseLong(
        at java.lang.Long.valueOf(
        at controllers.Application.supplier(
        at play.mvc.ActionInvoker.invokeWithContinuation(
        at play.mvc.ActionInvoker.invoke(
        at play.mvc.ActionInvoker.invokeControllerMethod(
        at play.mvc.ActionInvoker.invokeControllerMethod(
        at play.mvc.ActionInvoker.invoke(
        ... 1 more
    22 Mar 2012 07:20:57,270 ERROR play:570 - 

    phpmyadmin.translators.html action not found

    Action not found
    Action phpmyadmin.translators.html could not be found. Error raised is Controller controllers.phpmyadmin.translators not found

    play.exceptions.ActionNotFoundException: Action phpmyadmin.translators.html not found
        at play.mvc.ActionInvoker.getActionMethod(
        at play.mvc.ActionInvoker.resolve(
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.phpmyadmin.translators not found
        ... 3 more
    22 Mar 2012 10:13:16,611 ERROR play:570 - 

    nice ports,.Trinity.txt.bak action not found

    Action not found
    Action nice ports,.Trinity.txt.bak could not be found. Error raised is Controller controllers.nice ports,.Trinity.txt not found

    play.exceptions.ActionNotFoundException: Action nice ports,.Trinity.txt.bak not found
        at play.mvc.ActionInvoker.getActionMethod(
        at play.mvc.ActionInvoker.resolve(
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.nice ports,.Trinity.txt not found
        ... 3 more


  • I would suggest removing the 'catch all' route

    # Catch all  
    *       /{controller}/{action}                  {controller}.{action}

    Remove this, and have explicit mappings to all your controllers and actions.