[OWASP-ESAPI] Issues with Input validation using ESAPI

Jim Manico jim.manico at owasp.org
Sat Aug 7 23:54:57 EDT 2010 

> I think the validators should take an optional flag that defaults to true
that determines whether canonicalization should be done.

 

I agree, I'd like to make this change to 2.0. I'd like to leave the current
validation functions as is and have them all default to "cannonizalize" -
and then  add a new variant of these functions that expose the
canonicalization variable. This is a little more "backward compatible"
friendly. Acceptable?

 

- Jim

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Craig Younkins
Sent: Wednesday, July 28, 2010 8:04 AM
To: Jeff Williams
Cc: Kesavanarayanan, Ramesh; <owasp-esapi at lists.owasp.org>
Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI

 

No, I think this is a legitimate issue. He doesn't want to canonicalize that
parameter because it will mess up the user's password. All the getValid
methods in the validators canonicalize before doing anything else. See [1].

 

I think the validators should take an optional flag that defaults to true
that determines whether canonicalization should be done.

 

Craig Younkins

 

[1]
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/
org/owasp/esapi/reference/validation/StringValidationRule.java#267

On Wed, Jul 28, 2010 at 1:52 PM, Jeff Williams <jeff.williams at owasp.org>
wrote:

Actually I believe that isValidInput calls canonicalize which will throw
this error.  Specifically the error means that your test data contains
double encoded characters - this should only happen in an attack.  I thought
this was configurable, but I'd have to check.  The default is to stop
processing if double encoding os detected - either multiple different
schemes or multiple times.  I suggest changing your test case :-)

--Jeff

 

Jeff Williams

Aspect Security

work: 410-707-1487

main: 301-604-4882

 

 


On Jul 28, 2010, at 12:37 PM, "Kesavanarayanan, Ramesh"
<Ramesh.Kesavanarayanan at Pearson.com> wrote:

"I don't know if you can disable ESAPI rejecting input that has been encoded
multiple times in the same scheme". 

 

One way to do is to call the ESAPI.validator().isValidInput() method on
every request  parameters. If they are true then you call up getValidInput()
else just throw an exception to the end user.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O)
|  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

  _____  

From: Dave Wichers [mailto:dave.wichers at owasp.org] 
Sent: Wednesday, July 28, 2010 12:20 PM
To: Kesavanarayanan, Ramesh; Craig Younkins
Cc: owasp-esapi at lists.owasp.org; 'Jeff Williams'
Subject: RE: [OWASP-ESAPI] Issues with Input validation using ESAPI

 

ESAPI by default automatically rejects input that has multiple encodings
detected in the input.

 

When ESAPI validates, it first decodes all the input against the encoding
scheme(s) you have selected (or the default), and then it validates.  This
error message looks like it is coming out of the decoder, not the validator.

 

What I'm not sure is exactly what this error message means, it could be
either:

 

1)      That two different encoding schemes were detected in the same input,
or

2)      That some of the input has been encoded two or more times with the
same encoding scheme.

 

I'm assuming its #2 but it would be good to clarify the error message.

 

If this policy is OK with you, then I think you are good to go.

 

If you don't want to deal with encoded input on this field I believe you can
turn it off, but don't know how. Jeff or Jim or someone should know.

 

I don't know if you can disable ESAPI rejecting input that has been encoded
multiple times in the same scheme.

 

-Dave

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Kesavanarayanan,
Ramesh
Sent: Wednesday, July 28, 2010 12:57 PM
To: Craig Younkins
Cc: owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI

 

Here is the exception when I change this to your regex and validate with
ESAPI.

 

Multiple (2x) encoding detected in
asdfASDFASDF!@#$%#@$%#$%^&**^&*('$%^&(%^@asdfasdfoasdjfals546756216316315ASD
FSDFSDFIASJDFasd{}{}{}{}';::::fasldkf=====---___=+++++++++#@#$!@#$@!#$!@#$//
//\\/\/\/\/\/\/[][][][][][}}}}}}}}{}{}{}{\||||||

 

 

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O)
|  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

  _____  

From: Craig Younkins [mailto:craig.younkins at owasp.org] 
Sent: Wednesday, July 28, 2010 10:38 AM
To: Kesavanarayanan, Ramesh
Cc: owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] Issues with Input validation using ESAPI

 

Your regex is wrong. Try this:

 

pwdRegEx = "^[
a-zA-Z0-9!@\\\\/$#%\\^&\\*_\\+\\-=\\?\\|><,;:'`~{}()\\[\\]]+";

 

Use something like this to debug your regex: http://gskinner.com/RegExr/

 

Craig Younkins

2010/7/28 Kesavanarayanan, Ramesh <Ramesh.Kesavanarayanan at pearson.com>

I have a text field where in I allow all characters in the keyboard except
the "double quotes". 

1.      Characters (a-z,A-Z)

2.      Special characters (
<mailto:%7B!@$#%25%5E&*_+-=%5B%5D%5C%7C/?%3E.%3C%2C%3B%3A'~%7D>
{!@$#%^&*_+-=[]\|/?>.<,;:'`~})

3.      Numbers from 0-9

I have defined the regular expression in my esapi.properties file for this
field as follows

 

The user for example is typing the following character sequence in this text
box and when I validate this using the ESAPI it throws me an exception even
though I have allowed "backslash" in the sequence.

This scenario happens only when the user types in more number of backslashes
in the text field.

The regular expression I have configured is as follows

pwdRegEx = "^[ a-zA-Z0-9!@\\$#%^&*_+-=\\[\\]\\\\/?\\|><,;:'`~{}()]+$";

User Input 

asdfASDFASDF!@#$%#@$%#$%^&**^&*('$%^&(%^@asdfasdfoasdjfals546756216316315ASD
FSDFSDFIASJDFasd{}{}{}{}';::::fasldkf=====---___=+++++++++#@#$!@#$@!#$!@#$//
//\\/\/\/\/\/\/[][][][][][}}}}}}}}{}{}{}{\||||||

Is there anything I need to do with double encoding or so?

 

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972 (O)
|  /  319-621-7641 (M)   |  <mailto:ramesh.kesavanarayanan at pearson.com>
ramesh.kesavanarayanan at pearson.com


_______________________________________________
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-esapi

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20100807/448274a6/attachment-0001.html

More information about the OWASP-ESAPI mailing list