[Esapi-user] disabling logging

augustd augustd at codemagi.com
Tue Sep 28 16:03:12 EDT 2010


I've filed Issue #152 for this problem:

http://code.google.com/p/owasp-esapi-java/issues/detail?id=152

-August

On Tue, Sep 28, 2010 at 9:20 AM, <augustd at codemagi.com> wrote:

> If your intention was to disable the intrusion detector and it still throws
> IntrusionExceptions then I would say it is not good.
>
> -August
>
> Sent via BlackBerry by AT&T
> ------------------------------
> *From: * "Jim Manico" <jim.manico at owasp.org>
> *Date: *Mon, 27 Sep 2010 18:55:28 -1000
> *To: *'augustd'<augustd at codemagi.com>; <Esapi-user at lists.owasp.org>
> *Subject: *RE: [Esapi-user] disabling logging
>
>  So this is good, right?
>
>
>
> *From:* augustd [mailto:augustd at codemagi.com]
> *Sent:* Monday, September 27, 2010 5:28 PM
> *To:* Esapi-user at lists.owasp.org
> *Cc:* Jim Manico
> *Subject:* Re: [Esapi-user] disabling logging
>
>
>
> I have a report from one of my users of IntrusionDetector.Disable not
> working also:
>
>  I have an exception coming from the Intrusion Detection in ESAPI, I tried
> disabling it with:
>
>   IntrusionDetector.Disable=true
>
>
>
> But that doesn’t seems to be working.  The problem is with a cookie value
> that we have.  It seems to be double encoded and the Intrusion Detection
> throws an exception so the loading of the page fails.
>
>
>
> Here’s the exception
>
>
>
> 2010-09-27 18:00:50,811 INFO  [STDOUT] 2010-09-27 18:00:50,810 ERROR [
> some.server.com%2F12.34.56.78-8009-1] Log4JLogFactory$Log4JLogger -
> [SECURITY FAILURE Anonymous:null at unknown ->
> some.server.com:443/ExampleApplication/IntrusionException] INTRUSION -
> Multiple (2x) encoding detected in XXXXXXXXXXXXXXXXXXXXX
>
> 2010-09-27 18:00:50,812 INFO  [STDOUT] 2010-09-27 18:00:50,811 ERROR [
> some.server.com.com%2F12.34.56.78-8009-1] Log4JLogFactory$Log4JLogger -
> [SECURITY FAILURE Anonymous:null at unknown ->
> some.server.com:443/ExampleApplication/com.server.some.SecurityWrapper]
> Error in SecurityWrapper: Input validation failure
>
> org.owasp.esapi.errors.IntrusionException: Input validation failure
>
>         at
> org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:169)
>
>         at
> org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:120)
>
>         at
> org.owasp.esapi.reference.validation.StringValidationRule.getValid(StringValidationRule.java:290)
>
>         at
> org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:173)
>
>
>
>
>
> I dug into the code and it looks like StringValidationRule.getValid( String
> context, String input ) calls the one-argument
> DefaultEncoder.canonicalize(String input) which automatically enforces
> strict intrusion detection regardless of the value in ESAPI.properties.
>
>
>
> -August
>
>
>
> On Fri, Sep 24, 2010 at 6:59 AM, Saad Shakil <sshakil at rim.com> wrote:
>
> But intrusion detection sounds like something I should be keeping :)
>
> Other than validation against the regex, what else does IntrusionDetector
> do?
>
>
>
> *From:* Jim Manico [mailto:jim.manico at owasp.org]
> *Sent:* Thursday, September 23, 2010 8:36 PM
> *To:* Saad Shakil; Esapi-user at lists.owasp.org
> *Subject:* RE: [Esapi-user] disabling logging
>
>
>
> Yes, just disable Intrusion Detection and this problem should go away. To
> do that, please just add the following to your copy of ESAPI.properties
>
>
>
> IntrusionDetector.Disable=true
>
>
>
> *From:* esapi-user-bounces at lists.owasp.org [mailto:
> esapi-user-bounces at lists.owasp.org] *On Behalf Of *Saad Shakil
> *Sent:* Thursday, September 23, 2010 10:38 AM
> *To:* Esapi-user at lists.owasp.org
> *Subject:* [Esapi-user] disabling logging
>
>
>
> I tried setting <priority value ="off" /> in log4j.xml, but still noticed
> an IntrusionDetector SECURITY FAILURE on a validation exception that I catch
> in my code.
>
>
>
> Secondly, separate validation and intrusion exceptions become redundant if
> a third intrustiondetector is already thrown.  IntrusionDetector.class
> reads:
>
> “This method should immediately log the exception so that developers
> throwing an IntrusionException do not have to remember to log every error.”
>
>  I understand that the way we can catch an attack is through validation
> failure, but what distinguishing a harmless error from an actual attack?
>  Right now, I have it so that I violate the default ‘AccountName’ rule by
> trying to update the value to one that is of length 2 characters, when the
> min is three …{3,100}$.  I haven’t dug deep inside ESAPI code, but this
> shouldn’t be treated as an exception in my case, rather just an invalid
> input.  And I’d like to change the logging to reflect that, and the event’s
> handling too if possible.  Any idea on how I can go about doing this?
>
>
>
> Thanks.
>
> -S
>
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
>
>
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100928/898ae62a/attachment.html 


More information about the Esapi-user mailing list