[Esapi-user] [OWASP-ESAPI] Issues with Input validation using ESAPI

Jim Manico jim.manico at owasp.org
Thu Jul 29 07:21:36 EDT 2010 

Just food for thought,

I still like the idea of several low level API's with many parameters.

1) These APIs are very frequently hit (every request from every user)

2) They are already doing expensive regular expression operations

3) By keeping these function signatures "primitive" we avoid extra object creation and garbage collection 

4) Possible a more high performance design 

But I agree it's getting messy with all of these needed enhancements 

PS: The ONLY time the validators integrated cannonicalization injured my user data - was when I was expecting HTML (via TinyMCE). In these cases I just use AntiSamy directly without cannonicalization. Anyone else run into this problem?


On Jul 28, 2010, at 1:04 PM, Craig Younkins <craig.younkins at owasp.org> wrote:

> No, I think this is a legitimate issue. He doesn't want to canonicalize that parameter because it will mess up the user's password. All the getValid methods in the validators canonicalize before doing anything else. See [1].
> 
> I think the validators should take an optional flag that defaults to true that determines whether canonicalization should be done.
> 
> Craig Younkins
> 
> [1] http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java#267
> 
> On Wed, Jul 28, 2010 at 1:52 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
> Actually I believe that isValidInput calls canonicalize which will throw this error.  Specifically the error means that your test data contains double encoded characters - this should only happen in an attack.  I thought this was configurable, but I'd have to check.  The default is to stop processing if double encoding os detected - either multiple different schemes or multiple times.  I suggest changing your test case :-)
> 
> --Jeff
> 
> Jeff Williams
> Aspect Security
> work: 410-707-1487
> main: 301-604-4882
> 
> 
> 
> On Jul 28, 2010, at 12:37 PM, "Kesavanarayanan, Ramesh" <Ramesh.Kesavanarayanan at Pearson.com> wrote:
> 
>> “I don’t know if you can disable ESAPI rejecting input that has been encoded multiple times in the same scheme”.
>> 
>>  
>> 
>> One way to do is to call the ESAPI.validator().isValidInput() method on every request  parameters. If they are true then you call up getValidInput() else just throw an exception to the end user.
>> 
>> Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com
>> 
>> From: Dave Wichers [mailto:dave.wichers at owasp.org] 
>> Sent: Wednesday, July 28, 2010 12:20 PM
>> To: Kesavanarayanan, Ramesh; Craig Younkins
>> Cc: owasp-esapi at lists.owasp.org; 'Jeff Williams'
>> Subject: RE: [OWASP-ESAPI] Issues with Input validation using ESAPI
>> 
>>  
>> 
>> ESAPI by default automatically rejects input that has multiple encodings detected in the input.
>> 
>>  
>> 
>> When ESAPI validates, it first decodes all the input against the encoding scheme(s) you have selected (or the default), and then it validates.  This error message looks like it is coming out of the decoder, not the validator.
>> 
>>  
>> 
>> What I’m not sure is exactly what this error message means, it could be either:
>> 
>>  
>> 
>> 1)      That two different encoding schemes were detected in the same input, or
>> 
>> 2)      That some of the input has been encoded two or more times with the same encoding scheme.
>> 
>>  
>> 
>> I’m assuming its #2 but it would be good to clarify the error message.
>> 
>>  
>> 
>> If this policy is OK with you, then I think you are good to go.
>> 
>>  
>> 
>> If you don’t want to deal with encoded input on this field I believe you can turn it off, but don’t know how. Jeff or Jim or someone should know.
>> 
>>  
>> 
>> I don’t know if you can disable ESAPI rejecting input that has been encoded multiple times in the same scheme.
>> 
>>  
>> 
>> -Dave
>> 
>>  
>> 
>> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kesavanarayanan, Ramesh
>> Sent: Wednesday, July 28, 2010 12:57 PM
>> To: Craig Younkins
>> Cc: owasp-esapi at lists.owasp.org
>> Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI
>> 
>>  
>> 
>> Here is the exception when I change this to your regex and validate with ESAPI.
>> 
>>  
>> 
>> Multiple (2x) encoding detected in asdfASDFASDF!@#$%#@$%#$%^&**^&*('$%^&(%^@asdfasdfoasdjfals546756216316315ASDFSDFSDFIASJDFasd{}{}{}{}';::::fasldkf=====---___=+++++++++#@#$!@#$@!#$!@#$////\\/\/\/\/\/\/[][][][][][}}}}}}}}{}{}{}{\||||||
>> 
>>  
>> 
>>  
>> 
>> Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com
>> 
>> From: Craig Younkins [mailto:craig.younkins at owasp.org] 
>> Sent: Wednesday, July 28, 2010 10:38 AM
>> To: Kesavanarayanan, Ramesh
>> Cc: owasp-esapi at lists.owasp.org
>> Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI
>> 
>>  
>> 
>> Your regex is wrong. Try this:
>> 
>>  
>> 
>> pwdRegEx = "^[ a-zA-Z0-9!@\\\\/$#%\\^&\\*_\\+\\-=\\?\\|><,;:'`~{}()\\[\\]]+";
>> 
>>  
>> 
>> Use something like this to debug your regex: http://gskinner.com/RegExr/
>> 
>>  
>> 
>> Craig Younkins
>> 
>> 2010/7/28 Kesavanarayanan, Ramesh <Ramesh.Kesavanarayanan at pearson.com>
>> 
>> I have a text field where in I allow all characters in the keyboard except the “double quotes”.
>> 
>> 1.      Characters (a-z,A-Z)
>> 
>> 2.      Special characters ({!@$#%^&*_+-=[]\|/?>.<,;:’`~})
>> 
>> 3.      Numbers from 0-9
>> 
>> I have defined the regular expression in my esapi.properties file for this field as follows
>> 
>>  
>> 
>> The user for example is typing the following character sequence in this text box and when I validate this using the ESAPI it throws me an exception even though I have allowed “backslash” in the sequence.
>> 
>> This scenario happens only when the user types in more number of backslashes in the text field.
>> 
>> The regular expression I have configured is as follows
>> 
>> pwdRegEx = "^[ a-zA-Z0-9!@\\$#%^&*_+-=\\[\\]\\\\/?\\|><,;:'`~{}()]+$";
>> 
>> User Input
>> 
>> asdfASDFASDF!@#$%#@$%#$%^&**^&*('$%^&(%^@asdfasdfoasdjfals546756216316315ASDFSDFSDFIASJDFasd{}{}{}{}';::::fasldkf=====---___=+++++++++#@#$!@#$@!#$!@#$////\\/\/\/\/\/\/[][][][][][}}}}}}}}{}{}{}{\||||||
>> 
>> Is there anything I need to do with double encoding or so?
>> 
>>  
>> 
>> Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com
>> 
>> 
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>> 
>>  
>> 
> 
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100729/2d38348c/attachment-0001.html

More information about the Esapi-user mailing list