Tag Archives: The request was rejected because the URL contained a potentially malicious String error

The request was rejected because the URL contained a potentially malicious String “;” [How to Solve]

Error message

Errors seen in the browser

Security Question

error
The request was rejected because the URL contained a potentially malicious String “;”

Errors seen from the console

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Environmental information

***Springboot2.0 + Spring Security ***

Code tracking

We can findorg.springframework.security.web.firewall.StrictHttpFirewall

/**
 * <p>
 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
 * is to disable this behavior because it is a common way of attempting to perform
 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.
 * It is also the source of many exploits which bypass URL based security.
 * </p>
 * <p>For example, the following CVEs are a subset of the issues related
 * to ambiguities in the Servlet Specification on how to treat semicolons that
 * led to CVEs:
 * </p>
 * <ul>
 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
 * </ul>
 *
 * <p>
 * If you are wanting to allow semicolons, please reconsider as it is a very common
 * source of security bypasses. A few common reasons users want semicolons and
 * alternatives are listed below:
 * </p>
 * <ul>
 * <li>Including the JSESSIONID in the path - You should not include session id (or
 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
 * </li>
 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
 * using HTTP parameters instead.
 * </li>
 * </ul>
 *
 * @param allowSemicolon should semicolons be allowed in the URL. Default is false
 */
public void setAllowSemicolon(boolean allowSemicolon) {
	if (allowSemicolon) {
		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
	} else {
		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
	}
}

Mentioned here, if you want a semicolon, please reconsider because it is a very common source of security bypass. Here are some common reasons why users need semicolons and alternatives:
Include JSESSIONID in the path-You should not include the session ID (or any sensitive information) in the URL, as it may lead to leakage. Instead, cookies are used.

solution

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public HttpFirewall allowUrlSemicolonHttpFirewall() {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowSemicolon(true);
        return firewall;
    }
}

If the security restriction is released, the error will not be encountered, and it is not suitable for applications with very high security requirements.