[Esapi-user] [OWASP-ESAPI] Implementation of Global Output Encoder with ESAPI

Jim Manico jim.manico at owasp.org
Fri May 7 19:37:23 EDT 2010


 > Jim you are absolutely right - but there are some cases where you 
need the *big hammer* approach.

You are starting to sound like a WAF vendor. I think Imperva is hiring 
for sales....

*ducks*

<soapbox>
Comon boys - Risk Management is often used to justify NOT doing the 
right thing. Around these parts we OUTPUT ENCODE CONTEXTUALLY FOR ALL 
OUTPUT. NOTHING ELSE STOPS XSS.
</soapbox>

Cheers,
- Jim


> Jim you are absolutely right - but there are some cases where you need 
> the *big hammer* approach... I can vouch for that - especially as a 
> means of getting ESAPI into the door and implemented in a bloated and 
> ever evolving enterprise codebase.
>
> I am not saying this is the *right* way to do things, and I pointed 
> out in the last part of my reply that while this works for a big 
> hammer approach it is *not* 100% reliable and it is not quite so 
> daunting to carve out sections of a site and implement the tags or 
> scriptlet to do it correctly.. :)
>
> Sometimes you gotta prove that something helps when it is used in not 
> quite the 100% quite correct way just to get it in so you can do 
> things correctly... You've worked with stubborn managers before.. *g*
>
> On 5/7/2010 5:17 PM, Jim Manico wrote:
>> >  You just create an HttpServletRequestWrapper that returns the 
>> encoded values.
>>
>> Beef... Noooooo!
>>
>> I can't agree with that. This filter method only encodes data in the 
>> HTML body context - leaving all other display contexts vulnerable to XSS!
>>
>> I implore you to manually encode each variable per 
>> http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 
>> - you can even come up with a few regular expressions to do mass 
>> search-and-replace for some cases.
>>
>> My 2 cents,
>> Jim
>>
>>> Ramesh - (Please use the ESAPI-USER list - this list is deprecated.)
>>>
>>> You just create an HttpServletRequestWrapper that returns the 
>>> encoded values.
>>>
>>> public class MyWrapper extends HttpServletRequestWrapper {
>>>    @Override
>>>    public String getParameter(String key) {
>>>       try {
>>>          return ESAPI.encoder().encodeForHTML( super.getParameter( 
>>> key ) );
>>>       } catch ( Exception e ) {
>>>          ESAPI.getLogger( "MyWrapper" ).error( 
>>> org.owasp.esapi.Logger.EVENT_FAILURE, "Unable to encode value", e );
>>>       }
>>>       return null;
>>>    }
>>> }
>>>
>>> Obviously, this is a overly simplified version, but it conveys the 
>>> point.
>>>
>>> I am curious what you are going for by re-encoding for HTML, 
>>> HTMLAttribute, CSS, and JS?
>>>
>>> I understand the desire to not have to make changes to a *ton* of 
>>> jsps to get this going quickly, and the above works as a good *big 
>>> hammer* solution to solve most problems quickly, but ultimately you 
>>> are going to want to make sure that you start implementing the 
>>> encoding correctly in your view code as you go. It is pretty easy to 
>>> carve out sections of a site and go through that section using the 
>>> ESAPI tablibs or scriptlet to call the correct one.
>>>
>>> Hope this has been helpful.
>>>
>>> Thanks
>>>
>>> On 5/7/2010 2:28 PM, Kesavanarayanan, Ramesh wrote:
>>>>
>>>> I have a question on the output encoding using the ESAPI.
>>>>
>>>> In my application I tried to implement the ESAPI for the response 
>>>> output encoding in a centralized manner so that I do not need to 
>>>> change every JSP page in my application.
>>>>
>>>> The following is the piece of code I have written using my 
>>>> sessionFilter.
>>>>
>>>> import java.io.CharArrayWriter;
>>>>
>>>> public void doFilter(ServletRequest request, ServletResponse response,
>>>>
>>>> FilterChain chain) throws ServletException, IOException {
>>>>
>>>> HttpServletRequest httpRequest = (HttpServletRequest) request;
>>>>
>>>> HttpServletResponse httpResponse = (HttpServletResponse) response;
>>>>
>>>> HttpSession session = httpRequest.getSession();
>>>>
>>>> ServletResponse newResponse = null;
>>>>
>>>> if (request instanceof HttpServletRequest) {
>>>>
>>>> newResponse = new CharResponseWrapper(
>>>>
>>>> (HttpServletResponse) response);
>>>>
>>>> }
>>>>
>>>> chain.doFilter(request, response);
>>>>
>>>> String text = newResponse.toString();
>>>>
>>>> text = text.toUpperCase();
>>>>
>>>> text = ESAPI.encoder().encodeForHTML(text);
>>>>
>>>> text = ESAPI.encoder().encodeForHTMLAttribute(text);
>>>>
>>>> text = ESAPI.encoder().encodeForJavaScript(text);
>>>>
>>>> text = ESAPI.encoder().encodeForCSS(text);
>>>>
>>>> CharArrayWriter caw = new CharArrayWriter();
>>>>
>>>> if (text != null) {
>>>>
>>>> try {
>>>>
>>>> caw.write(text);
>>>>
>>>> response.getWriter().write(caw.toString());
>>>>
>>>> } catch (java.lang.IllegalStateException ille) {
>>>>
>>>> }
>>>>
>>>> }
>>>>
>>>>        }
>>>>
>>>> In my JSP I have the code as follows
>>>>
>>>> *_Not working_*
>>>>
>>>> <script>
>>>>
>>>> function setUserName(){
>>>>
>>>> document.getElementById("login").value ='<%= 
>>>> (String)request.getAttribute("username")  %>';
>>>>
>>>> }
>>>>
>>>> </script>
>>>>
>>>> *_Working_*
>>>>
>>>> <%!
>>>>
>>>> String cleanXSS(String value) {
>>>>
>>>> value = ESAPI.encoder().encodeForHTML(value);
>>>>
>>>> value = ESAPI.encoder().encodeForHTMLAttribute(value);
>>>>
>>>> value = ESAPI.encoder().encodeForJavaScript(value);
>>>>
>>>> value = ESAPI.encoder().encodeForCSS(value);
>>>>
>>>> return value;
>>>>
>>>> }
>>>>
>>>> %>
>>>>
>>>> <script>
>>>>
>>>> function setUserName(){
>>>>
>>>> document.getElementById("login").value ='<%= cleanXSS(  
>>>> (String)request.getAttribute("username")  ) %>';
>>>>
>>>> }
>>>>
>>>> </script>
>>>>
>>>> As you can see I expect the response to be updated with the ESAPI 
>>>> functions, but somewhere I loose the ESAPI. The idea for me is to 
>>>> centralize the output encoding so that it saves me time and effort.
>>>>
>>>> Appreciate if you have any pointers on the same.
>>>>
>>>> */Regards |  Ramesh Kesavanarayanan  |    319-354-9200 ext 215785 / 
>>>> 215972 (O)/**//**/ |  //* *//**/ 319-621-7641 (M) /*  | 
>>>> */_ramesh.kesavanarayanan at pearson.com_/* 
>>>> <mailto:ramesh.kesavanarayanan at pearson.com>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-ESAPI mailing list
>>>> OWASP-ESAPI at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>>>    
>>>
>>>
>>> _______________________________________________
>>> OWASP-ESAPI mailing list
>>> OWASP-ESAPI at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>>    
>>
>>
>> -- 
>> Jim Manico
>> OWASP Podcast Host/Producer
>> OWASP ESAPI Project Manager
>> http://www.manico.net


-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100507/d956198f/attachment.html 


More information about the Esapi-user mailing list