[Esapi-user] CSRF +Character Reference Set + Linux

Jeff Williams jeff.williams at aspectsecurity.com
Wed Jul 28 09:55:52 EDT 2010


Ramesh,

 

Are you using the CSRFGuard by any chance?  That's a separate project at
OWASP (for now) from ESAPI, so your messages might be going to the wrong
place.

 

I'm just guessing here, since you've given us very little to work with
in terms of details.  My first question is why you wouldn't just use
actual space or tab characters, instead of trying to use &#160.

 

But assuming that there are some legitimate characters that you need to
use in the range 160-255, I'm not sure why they're being transformed.
I suspect somewhere along the way the bytes are being written in a
different character set than they were read in. 

 

Browser <-----> CSRFGuard <-> Struts Action <-> File System

 

Since you say it works on Windows, and not on Linux, I'd look at the
code that's reading the bytes from the file system. The bottom line is
that *everywhere* that touches those bytes should use UTF-8, and you
should tell the browser to use UTF-8 too.  Craig's point about using a
doctype is important.

 

--Jeff

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of
Kesavanarayanan, Ramesh
Sent: Tuesday, July 27, 2010 3:31 PM
To: Craig Younkins; esapi-user at lists.owasp.org;
owasp-esapi at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

What I figured out is that when my XML file has any character set as
defined by 

1.	http://htmlhelp.com/reference/charset/iso160-191.html
2.	http://htmlhelp.com/reference/charset/iso192-223.html
3.	http://htmlhelp.com/reference/charset/iso224-255.html

 

then they appear as JUNK characters.

 

But if my XML file has character set as defined by

1.	http://htmlhelp.com/reference/charset/iso096-127.html
2.	http://htmlhelp.com/reference/charset/iso064-095.html
3.	http://htmlhelp.com/reference/charset/iso032-063.html
4.	http://htmlhelp.com/reference/charset/iso000-031.html

 

then the page is getting displayed correctly.

 

But when the same application deployed in windows machines displays the
XML files correctly irrespective of the character set I use and CSRF
enabled.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

________________________________

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of
Kesavanarayanan, Ramesh
Sent: Tuesday, July 27, 2010 1:29 PM
To: Craig Younkins; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

Here is the logic

 

1.	The application calls the action.do (struts method)
2.	This invokes a servlet via the servlet container
3.	The servlet then calls up a java class
4.	This java class reads the file system and converts them into a
byte[]
5.	This is then streamed into the browser

 

Now that we have configured CSRF using the web.xml it causes the browser
to display junk characters.

 

This happens when the application is deployed in Linux environment.

 

The same code when deployed in windows environment displays the correct
way.

 

That's why I am curious as to am I missing anything or do we need
additional configurations / settings that needs to be done in Linux
environment.

 

FYI, I found that if the HTML files has character reference anything
higher than &#100 then they are displaying as junk characters.

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

________________________________

From: Craig Younkins [mailto:craig.younkins at owasp.org] 
Sent: Tuesday, July 27, 2010 1:16 PM
To: Kesavanarayanan, Ramesh; esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

If the application just renders static files on the system, then you
aren't calling any ESAPI methods. If you are calling ESAPI methods,
please show us the relevant code.

 

Also, please be sure to reply to the list.

 

Craig Younkins

On Tue, Jul 27, 2010 at 10:42 AM, Kesavanarayanan, Ramesh <
Ramesh.Kesavanarayanan at pearson.com> wrote:

These HTML files are static and reside on the file system. The
application renders them by reading them. When CSRF is enabled, and if
the file contains TAB / SPACE, on windows it displays correctly but when
the same application is deployed in Linux, then they display as junk
characters.

 

 

 

But if I disable CSRF then it is displaying correctly.

 

Appreciate any help  on this.

 

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com

________________________________

From: Craig Younkins [mailto:craig.younkins at owasp.org] 
Sent: Tuesday, July 27, 2010 8:57 AM
To: Kesavanarayanan, Ramesh
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] CSRF +Character Reference Set + Linux

 

CSRF has nothing to do with character encodings, so I think you're
talking about the XSS codecs. 

 

What text are you sending through the encoder to get the referenced
output? Where is &#160; coming from? 

 

If you are outputting HTML you should not have "<?xml version="1.0"
encoding="UTF-8"?>" but rather a doctype. See [1].

 

Craig Younkins

 

[1] http://www.w3schools.com/tags/tag_DOCTYPE.asp

On Mon, Jul 26, 2010 at 6:40 PM, Kesavanarayanan, Ramesh <
Ramesh.Kesavanarayanan at pearson.com> wrote:

The issue seems to happen only on Linux boxes 

Sample HTML

<b>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;The bread-slicing
machine has been celebrated as a great invention.</b>

Needs to display the character set &#160;  AS tab (SPACE) but it
displays as JUNK characters.

I indeed have <?xml version="1.0" encoding="UTF-8"?> in the HTML files.

Is there a reason why CSRF does display as junk characters when we have
character entry set more than 100

Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 215972
(O) |  /  319-621-7641 (M)   | ramesh.kesavanarayanan at pearson.com


_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100728/8b1331a8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 6409 bytes
Desc: image001.jpg
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100728/8b1331a8/attachment.jpe 


More information about the Esapi-user mailing list