[Esapi-user] disabling logging

augustd augustd at codemagi.com
Mon Sep 27 23:28:16 EDT 2010


I have a report from one of my users of IntrusionDetector.Disable not
working also:


I have an exception coming from the Intrusion Detection in ESAPI, I tried
disabling it with:

  IntrusionDetector.Disable=true



But that doesn’t seems to be working.  The problem is with a cookie value
that we have.  It seems to be double encoded and the Intrusion Detection
throws an exception so the loading of the page fails.



Here’s the exception



2010-09-27 18:00:50,811 INFO  [STDOUT] 2010-09-27 18:00:50,810 ERROR [
some.server.com%2F12.34.56.78-8009-1] Log4JLogFactory$Log4JLogger -
[SECURITY FAILURE Anonymous:null at unknown ->
some.server.com:443/ExampleApplication/IntrusionException] INTRUSION -
Multiple (2x) encoding detected in XXXXXXXXXXXXXXXXXXXXX

2010-09-27 18:00:50,812 INFO  [STDOUT] 2010-09-27 18:00:50,811 ERROR [
some.server.com.com%2F12.34.56.78-8009-1] Log4JLogFactory$Log4JLogger -
[SECURITY FAILURE Anonymous:null at unknown ->
some.server.com:443/ExampleApplication/com.server.some.SecurityWrapper]
Error in SecurityWrapper: Input validation failure

org.owasp.esapi.errors.IntrusionException: Input validation failure

        at
org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:169)

        at
org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)

        at
org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:290)

        at
org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:173)



I dug into the code and it looks like StringValidationRule.getValid( String
context, String input ) calls the one-argument
DefaultEncoder.canonicalize(String input) which automatically enforces
strict intrusion detection regardless of the value in ESAPI.properties.


-August


On Fri, Sep 24, 2010 at 6:59 AM, Saad Shakil <sshakil at rim.com> wrote:

>  But intrusion detection sounds like something I should be keeping :)
>
> Other than validation against the regex, what else does IntrusionDetector
> do?
>
>
>
> *From:* Jim Manico [mailto:jim.manico at owasp.org]
> *Sent:* Thursday, September 23, 2010 8:36 PM
> *To:* Saad Shakil; Esapi-user at lists.owasp.org
> *Subject:* RE: [Esapi-user] disabling logging
>
>
>
> Yes, just disable Intrusion Detection and this problem should go away. To
> do that, please just add the following to your copy of ESAPI.properties
>
>
>
> IntrusionDetector.Disable=true
>
>
>
> *From:* esapi-user-bounces at lists.owasp.org [mailto:
> esapi-user-bounces at lists.owasp.org] *On Behalf Of *Saad Shakil
> *Sent:* Thursday, September 23, 2010 10:38 AM
> *To:* Esapi-user at lists.owasp.org
> *Subject:* [Esapi-user] disabling logging
>
>
>
> I tried setting <priority value ="off" /> in log4j.xml, but still noticed
> an IntrusionDetector SECURITY FAILURE on a validation exception that I catch
> in my code.
>
>
>
> Secondly, separate validation and intrusion exceptions become redundant if
> a third intrustiondetector is already thrown.  IntrusionDetector.class
> reads:
>
> “This method should immediately log the exception so that developers
> throwing an IntrusionException do not have to remember to log every error.”
>
>  I understand that the way we can catch an attack is through validation
> failure, but what distinguishing a harmless error from an actual attack?
>  Right now, I have it so that I violate the default ‘AccountName’ rule by
> trying to update the value to one that is of length 2 characters, when the
> min is three …{3,100}$.  I haven’t dug deep inside ESAPI code, but this
> shouldn’t be treated as an exception in my case, rather just an invalid
> input.  And I’d like to change the logging to reflect that, and the event’s
> handling too if possible.  Any idea on how I can go about doing this?
>
>
>
> Thanks.
>
> -S
>
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
>
>  ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100927/b3bb6153/attachment.html 


More information about the Esapi-user mailing list