[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jim Manico jim.manico at owasp.org
Wed Jul 27 18:14:08 EDT 2011


Rama,

This is a deeply fragile way to stop XSS. Can you just use parameterized
queries with data binding? We heavily recommend this as the best way to stop
SQL injection.

- Jim Manico

On Jul 27, 2011, at 12:48 PM, Rama Krishna Pathangi <rpathangi at hotmail.com>
wrote:

Hello,

We are currently using ESAPI 2.0 GA.
In line with the following, I was wondering if we can have a codec for
SQLServer in your future release.
SAPI.encoder().encodeForSQL( new OracleCodec(), dirtyString );
SAPI.encoder().encodeForSQL( new DB2Codec(), dirtyString );

--
Rama Krishna Rao Pathangi
[c] 1 503 962 9480
[f]  1 801 409 7951


> From: esapi-user-request at lists.owasp.org
> Subject: Esapi-user Digest, Vol 20, Issue 12
> To: esapi-user at lists.owasp.org
> Date: Wed, 27 Jul 2011 12:00:05 -0400
>
> Send Esapi-user mailing list submissions to
> esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or body 'help' to
> esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
> esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
> 1. Re: [Esapi-dev] ESAPI 2.0.1 Released (Dave Wolf)
> 2. Fwd: .NET and Java WAF (Christian Heinrich)
> 3. Re: .NET and Java WAF (Jim Manico)
> 4. Re: [Esapi-dev] .NET and Java WAF (Kevin W. Wall)
> 5. Re: [GPC] Fwd: .NET and Java WAF (Jason Li)
> 6. using SafeRequest (Normando Macaraeg)
> 7. Re: using SafeRequest (Kevin W. Wall)
> 8. Re: [Esapi-dev] .NET and Java WAF (Christian Heinrich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 26 Jul 2011 17:14:12 +0000
> From: Dave Wolf <dave.wolf at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI 2.0.1 Released
> To: ESAPI Dev List <esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org" <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> FYI, I'm not finding 2.0.1 on Maven Central. The most current release that
> shows up is 2.0GA. I'm searching using:
> g:"org.owasp.esapi" AND a:"esapi" AND v:"2.0.1"
>
> Any ideas what is going on?
>
> Thanks,
>
> Dave Wolf
>
> Date: Mon, 25 Jul 2011 08:01:35 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-dev] ESAPI 2.0.1 Released
> To: Chris Schmidt <chris.schmidt at owasp.org>
> Cc: ESAPI Devs <esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org" <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Mon, Jul 25, 2011 at 4:44 AM, Chris Schmidt <chris.schmidt at owasp.org>
> wrote:
> > Due to popular demand ESAPI 2.0.1 has been released with some minor (but
> > important) bug fixes. The changelist is below.
> > [snip]
> > Change log from 2.0.GA <http://2.0.ga/> to 2.0.1
> >
> > 2011-07-25 00:01:38 chrisisbeef /trunk/pom.xml v 1858
> >
> > Removed version from project name... Fixes Issue #235
> > 2011-07-24 23:56:06 chrisisbeef
> > /trunk/configuration/esapi/
> ESAPI.properties v 1857
> > /trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
> >
> > Resolves issue #46 - allow context path to have leading slash or be
empty
> > 2011-07-23 14:36:17 chrisisbeef
> >
>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
> > v 1856
> >
> > Get rid of really irritating stacktrace everytime esapi loads.
> >
> > fixes issue #220
> > 2011-07-23 14:25:45 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
> 1855
> >
> > Resolve issue 232 Validation Type Error
> > 2011-07-23 14:17:34 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
> >
> > Fix issue 231 inverted logic error with canonicalization.
>
> Chris,
>
> Well, let me be amongst the first to publically congratulate you for
pushing
> out these fixes, and especially issue #46, which I pretty much dropped the
> ball on.
>
> Thanks for your hard work. The whole ESAPI community owes you a beer!
> Great job.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
> Dave Wolf
>
> "There is no passion to be found playing small - in settling for a life
that
> is less than the one you are capable of living." --Nelson Mandela
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b61/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 27 Jul 2011 10:23:39 +1000
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Subject: [Esapi-user] Fwd: .NET and Java WAF
> To: Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> GPC,
>
> Please consider this notice that "we" intend to escalate for
> recognition as an OWASP Project by the GPC shortly after BlackHat and
> DefCon.
>
> Hence I have CC ESAPI Mailing List for discussion in the interim until
> the @owasp.org Mailing Lists are created.
>
> Juan, Ryan, Jason and Jason have been BCC.
>
> ---------- Forwarded message ----------
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Date: Tue, Jul 26, 2011 at 8:33 AM
> Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
>
>
> Juan,
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > What do you mean closing this off? Having it ready or defining is an
> > OWASP project?
>
> I was referring too having it listed as an OWASP Project, such as an
> associated mailing list, etc.
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > Just as a small update, Aldo Salas a certified Java developer is helping
> > me out to finish this project, we have a progress meeting this Thursday,
> > also I sent a paper proposal to OWASP LATAM to present a course on
> > Mod_security for Java this October (that is it should be well tested and
> > finished by then) :)
>
> I can note this milestone in the Project Plan - I will list it for
> November to account for the unlikely event that the deadline slips or
> to demonstrate that we ship it earlier then expected :)
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 26 Jul 2011 19:25:14 -0500
> From: Jim Manico <jim.manico at owasp.org>
> Subject: Re: [Esapi-user] .NET and Java WAF
> To: Christian Heinrich <christian.heinrich at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID: <-2981349937657456396 at unknownmsgid>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I totally support splitting the ESAPI WAF into a brand new project. Go
> for it - and great work!
>
> - Jim Manico
>
> On Jul 26, 2011, at 7:23 PM, Christian Heinrich
> <christian.heinrich at owasp.org> wrote:
>
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich <christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 26 Jul 2011 21:39:10 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: Jim Manico <jim.manico at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
> <CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 8:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
> > I totally support splitting the ESAPI WAF into a brand new project. Go
> > for it - and great work!
>
> Christian,
>
> I concur. However, please do keep us in the loop, especially if you make
> any changes that would affect out it is used in ESAPI. I think that we
would
> like to keep it as an option there and also be able to drop in your latest
> version.
>
> Thanks,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." ? ? ? ?-- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 26 Jul 2011 21:51:42 -0400
> From: Jason Li <jason.li at owasp.org>
> Subject: Re: [Esapi-user] [GPC] Fwd: .NET and Java WAF
> To: Christian Heinrich <christian.heinrich at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
> <CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Christian,
>
> There's no need to "escalate" for recognition.
>
> Any idea can always be submitted to the GPC and they will be processed
> by Paulo Coimbra like all other requests.
>
> I would encourage the group to read the wiki article on starting an
> OWASP project (
https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
> and ensure that the group submits the necessary information.
>
> -Jason
>
> On Tue, Jul 26, 2011 at 8:23 PM, Christian Heinrich
> <christian.heinrich at owasp.org> wrote:
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich <christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
> > _______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 26 Jul 2011 19:48:57 -0700 (PDT)
> From: "Normando Macaraeg" <nmacaraeg at jaspersoft.com>
> Subject: [Esapi-user] using SafeRequest
> To: <esapi-user at lists.owasp.org>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); // unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
>
> But the book says this works only if I enable the ESAPIFilter. How do I
> enable the ESAPIFilter?
>
> -Norm
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 26 Jul 2011 23:32:01 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] using SafeRequest
> To: Normando Macaraeg <nmacaraeg at jaspersoft.com>
> Cc: esapi-user at lists.owasp.org
> Message-ID:
> <CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
> <nmacaraeg at jaspersoft.com> wrote:
> > Hi,
> >
> > Using the ESAPI Book as my guide, it looks like when I find code that
> > looks like:
> >
> > HttpSession session = request.getSession(); // unsafe session
> >
> > I should change the code to this:
> >
> > HttpSession session = new SafeRequest( request ).getSession(); // safe
> > session
> >
> > But the book says this works only if I enable the ESAPIFilter. How do I
> > enable the ESAPIFilter?
>
> You configure it just like any other Java Servlet filter.
> In your WEB-INF/web.xml file, you would do something like
> this:
>
> <web-app id="myWebApp">
> ...
> <filter>
> <filter-name>ESAPI-Filter</filter-name>
> <filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
> <!-- Note: Not sure it has any parameters. Check the
> sourc code or ask Jeff Williams. I don't have time
> right now. However, this is how you specify
> parameters. You can have more than one init-param
> section. -->
> <init-param>
> <param-name>greetings</param-name>
> <param-value>Hello, World</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>ESAPI-Filter</filter-name>
> <url-pattern>/images/*</url-pattern>
> </filter-mapping>
> </filter>
> ...
> </web-app>
>
> The exact syntax may be slightly different depending on what
> Servlet Spec your JavaEE / servlet container adheres to. Shown
> above is for Servlet Spec 2.4.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 27 Jul 2011 16:54:00 +1000
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kevin,
>
> I have dropped the GPC for the moment from this discussion.
>
> On Wed, Jul 27, 2011 at 11:39 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:
> > I concur. However, please do keep us in the loop, especially if you make
> > any changes that would affect out it is used in ESAPI. I think that we
would
> > like to keep it as an option there and also be able to drop in your
latest
> > version.
>
> I can create a dependency in the Project Plan for this and a SVN tag
> for the attention of EASPI Java.
>
> For your reference, Juan's import from ESAPI Java was
> http://code.google.com/p/owasp-java-waf/source/detail?r=2
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 20, Issue 12
> ******************************************

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110727/ba3cc833/attachment.html 


More information about the Esapi-user mailing list