[Esapi-user] CSRF +Character Reference Set + Linux

Kesavanarayanan, Ramesh Ramesh.Kesavanarayanan at Pearson.com
Tue Jul 27 14:28:42 EDT 2010


Here is the logic

 

1.	The application calls the action.do (struts method)
2.	This invokes a servlet via the servlet container
3.	The servlet then calls up a java class
4.	This java class reads the file system and converts them into a
byte[]
5.	This is then streamed into the browser

 

Now that we have configured CSRF using the web.xml it causes the browser
to display junk characters.

 

This happens when the application is deployed in Linux environment.

 

The same code when deployed in windows environment displays the correct
way.

 

That's why I am curious as to am I missing anything or do we need
additional configurations / settings that needs to be done in Linux
environment.

 

FYI, I found that if the HTML files has character reference anything
higher than &#100 then they are displaying as junk characters.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

________________________________

From: Craig Younkins [mailto:craig.younkins at owasp.org] 
Sent: Tuesday, July 27, 2010 1:16 PM
To: Kesavanarayanan, Ramesh; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

If the application just renders static files on the system, then you
aren't calling any ESAPI methods. If you are calling ESAPI methods,
please show us the relevant code.

 

Also, please be sure to reply to the list.

 

Craig Younkins

On Tue, Jul 27, 2010 at 10:42 AM, Kesavanarayanan, Ramesh <
Ramesh.Kesavanarayanan at pearson.com> wrote:

These HTML files are static and reside on the file system. The
application renders them by reading them. When CSRF is enabled, and if
the file contains TAB / SPACE, on windows it displays correctly but when
the same application is deployed in Linux, then they display as junk
characters.

 

 

 

But if I disable CSRF then it is displaying correctly.

 

Appreciate any help  on this.

 

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

________________________________

From: Craig Younkins [mailto:craig.younkins at owasp.org] 
Sent: Tuesday, July 27, 2010 8:57 AM
To: Kesavanarayanan, Ramesh
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

CSRF has nothing to do with character encodings, so I think you're
talking about the XSS codecs. 

 

What text are you sending through the encoder to get the referenced
output? Where is &#160; coming from? 

 

If you are outputting HTML you should not have "<?xml version="1.0"
encoding="UTF-8"?>" but rather a doctype. See [1].

 

Craig Younkins

 

[1] http://www.w3schools.com/tags/tag_DOCTYPE.asp

On Mon, Jul 26, 2010 at 6:40 PM, Kesavanarayanan, Ramesh <
Ramesh.Kesavanarayanan at pearson.com> wrote:

The issue seems to happen only on Linux boxes 

Sample HTML

<b>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;The bread-slicing
machine has been celebrated as a great invention.</b>

Needs to display the character set &#160;  AS tab (SPACE) but it
displays as JUNK characters.

I indeed have <?xml version="1.0" encoding="UTF-8"?> in the HTML files.

Is there a reason why CSRF does display as junk characters when we have
character entry set more than 100

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100727/e56e2242/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 6409 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100727/e56e2242/attachment.jpe 


More information about the Esapi-user mailing list