[Esapi-user] Esapi-user Digest, Vol 20, Issue 12
Jeff Williams
jeff.williams at aspectsecurity.com
Wed Jul 27 23:32:08 EDT 2011
Codecs aren't a last resort for canonicalization and input validation,
which is required for attack detection like what is done in AppSensor.
More fundamentally, I think these codecs are exactly the type of
fundamental building blocks that are required before we (as an industry)
can move past injection and get to harder problems. I say we just build
these out, get them right, and move on.
As far as I know, there's nothing that prevents a codec from supporting
a changeable escape syntax. We sort of support that with the two modes
in the MySQLCodec.
--Jeff
From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Wednesday, July 27, 2011 6:35 PM
To: Jeff Williams
Cc: Rama Krishna Pathangi; ESAPI User Group
Subject: Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12
Jeff,
I agree these encoders belong in ESAPI but only as a last resort.
Case and point: You can change Oracles escape character dynamically and
the JDBC driver would pick that up, but a hard coded escape function
would not, leaving you injectable.
But still Jeff, as a last resort or as a stopgap measure, I agree.
- Jim Manico
On Jul 27, 2011, at 5:27 PM, "Jeff Williams"
<jeff.williams at aspectsecurity.com> wrote:
Perhaps he is interested in canonicalization? There are plenty
of good reasons to have a SQLServer codec in ESAPI.
There were some discussions around this a while back, and maybe
even an implementation. Would you be interested in helping put this
together?
--Jeff
On Jul 27, 2011, at 5:22 PM, "Jim Manico" <jim.manico at owasp.org>
wrote:
Rama,
This is a deeply fragile way to stop XSS. Can you just
use parameterized queries with data binding? We heavily recommend this
as the best way to stop SQL injection.
- Jim Manico
On Jul 27, 2011, at 12:48 PM, Rama Krishna Pathangi
<rpathangi at hotmail.com> wrote:
Hello,
We are currently using ESAPI 2.0 GA.
In line with the following, I was wondering if
we can have a codec for SQLServer in your future release.
SAPI.encoder().encodeForSQL( new OracleCodec(),
dirtyString );
SAPI.encoder().encodeForSQL( new DB2Codec(),
dirtyString );
--
Rama Krishna Rao Pathangi
[c] 1 503 962 9480
[f] 1 801 409 7951
> From: esapi-user-request at lists.owasp.org
> Subject: Esapi-user Digest, Vol 20, Issue 12
> To: esapi-user at lists.owasp.org
> Date: Wed, 27 Jul 2011 12:00:05 -0400
>
> Send Esapi-user mailing list submissions to
> esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide
Web, visit
>
https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or
body 'help' to
> esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
> esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line
so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
> 1. Re: [Esapi-dev] ESAPI 2.0.1 Released (Dave
Wolf)
> 2. Fwd: .NET and Java WAF (Christian Heinrich)
> 3. Re: .NET and Java WAF (Jim Manico)
> 4. Re: [Esapi-dev] .NET and Java WAF (Kevin W.
Wall)
> 5. Re: [GPC] Fwd: .NET and Java WAF (Jason Li)
> 6. using SafeRequest (Normando Macaraeg)
> 7. Re: using SafeRequest (Kevin W. Wall)
> 8. Re: [Esapi-dev] .NET and Java WAF
(Christian Heinrich)
>
>
>
----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 26 Jul 2011 17:14:12 +0000
> From: Dave Wolf <dave.wolf at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI
2.0.1 Released
> To: ESAPI Dev List
<esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
> Message-ID:
>
<CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> FYI, I'm not finding 2.0.1 on Maven Central.
The most current release that
> shows up is 2.0GA. I'm searching using:
> g:"org.owasp.esapi" AND a:"esapi" AND
v:"2.0.1"
>
> Any ideas what is going on?
>
> Thanks,
>
> Dave Wolf
>
> Date: Mon, 25 Jul 2011 08:01:35 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-dev] ESAPI 2.0.1 Released
> To: Chris Schmidt <chris.schmidt at owasp.org>
> Cc: ESAPI Devs <esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org"
<Esapi-user at lists.owasp.org>
> Message-ID:
>
<CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Mon, Jul 25, 2011 at 4:44 AM, Chris Schmidt
<chris.schmidt at owasp.org>
> wrote:
> > Due to popular demand ESAPI 2.0.1 has been
released with some minor (but
> > important) bug fixes. The changelist is
below.
> > [snip]
> > Change log from 2.0.GA <http://2.0.ga/> to
2.0.1
> >
> > 2011-07-25 00:01:38 chrisisbeef
/trunk/pom.xml v 1858
> >
> > Removed version from project name... Fixes
Issue #235
> > 2011-07-24 23:56:06 chrisisbeef
> > /trunk/configuration/esapi/
> ESAPI.properties v 1857
> >
/trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
> >
> > Resolves issue #46 - allow context path to
have leading slash or be empty
> > 2011-07-23 14:36:17 chrisisbeef
> >
>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfigurat
ion.java
> > v 1856
> >
> > Get rid of really irritating stacktrace
everytime esapi loads.
> >
> > fixes issue #220
> > 2011-07-23 14:25:45 chrisisbeef
> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
> 1855
> >
> > Resolve issue 232 Validation Type Error
> > 2011-07-23 14:17:34 chrisisbeef
> >
/trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
> >
> > Fix issue 231 inverted logic error with
canonicalization.
>
> Chris,
>
> Well, let me be amongst the first to
publically congratulate you for pushing
> out these fixes, and especially issue #46,
which I pretty much dropped the
> ball on.
>
> Thanks for your hard work. The whole ESAPI
community owes you a beer!
> Great job.
>
> -kevin
> --
> Blog:
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be
destroyed, most experts agree,
> is by accident. That's where we come in; we're
computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
> Dave Wolf
>
> "There is no passion to be found playing small
- in settling for a life that
> is less than the one you are capable of
living." --Nelson Mandela
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b
61/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 27 Jul 2011 10:23:39 +1000
> From: Christian Heinrich
<christian.heinrich at owasp.org>
> Subject: [Esapi-user] Fwd: .NET and Java WAF
> To: Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
>
<CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> GPC,
>
> Please consider this notice that "we" intend
to escalate for
> recognition as an OWASP Project by the GPC
shortly after BlackHat and
> DefCon.
>
> Hence I have CC ESAPI Mailing List for
discussion in the interim until
> the @owasp.org Mailing Lists are created.
>
> Juan, Ryan, Jason and Jason have been BCC.
>
> ---------- Forwarded message ----------
> From: Christian Heinrich
<christian.heinrich at owasp.org>
> Date: Tue, Jul 26, 2011 at 8:33 AM
> Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
> To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
> Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
>
>
> Juan,
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > What do you mean closing this off? Having it
ready or defining is an
> > OWASP project?
>
> I was referring too having it listed as an
OWASP Project, such as an
> associated mailing list, etc.
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > Just as a small update, Aldo Salas a
certified Java developer is helping
> > me out to finish this project, we have a
progress meeting this Thursday,
> > also I sent a paper proposal to OWASP LATAM
to present a course on
> > Mod_security for Java this October (that is
it should be well tested and
> > finished by then) :)
>
> I can note this milestone in the Project Plan
- I will list it for
> November to account for the unlikely event
that the deadline slips or
> to demonstrate that we ship it earlier then
expected :)
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 26 Jul 2011 19:25:14 -0500
> From: Jim Manico <jim.manico at owasp.org>
> Subject: Re: [Esapi-user] .NET and Java WAF
> To: Christian Heinrich
<christian.heinrich at owasp.org>
> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects
Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
<-2981349937657456396 at unknownmsgid>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I totally support splitting the ESAPI WAF into
a brand new project. Go
> for it - and great work!
>
> - Jim Manico
>
> On Jul 26, 2011, at 7:23 PM, Christian
Heinrich
> <christian.heinrich at owasp.org> wrote:
>
> > GPC,
> >
> > Please consider this notice that "we" intend
to escalate for
> > recognition as an OWASP Project by the GPC
shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for
discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich
<christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
> > To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having
it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an
OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a
certified Java developer is helping
> >> me out to finish this project, we have a
progress meeting this Thursday,
> >> also I sent a paper proposal to OWASP LATAM
to present a course on
> >> Mod_security for Java this October (that is
it should be well tested and
> >> finished by then) :)
> >
> > I can note this milestone in the Project
Plan - I will list it for
> > November to account for the unlikely event
that the deadline slips or
> > to demonstrate that we ship it earlier then
expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 26 Jul 2011 21:39:10 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and
Java WAF
> To: Jim Manico <jim.manico at owasp.org>
> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects
Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
>
<CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 8:25 PM, Jim Manico
<jim.manico at owasp.org> wrote:
> > I totally support splitting the ESAPI WAF
into a brand new project. Go
> > for it - and great work!
>
> Christian,
>
> I concur. However, please do keep us in the
loop, especially if you make
> any changes that would affect out it is used
in ESAPI. I think that we would
> like to keep it as an option there and also be
able to drop in your latest
> version.
>
> Thanks,
> -kevin
> --
> Blog:
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be
destroyed, most experts agree,
> is by accident. That's where we come in; we're
computer professionals.
> We *cause* accidents." ? ? ? ?-- Nathaniel
Borenstein
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 26 Jul 2011 21:51:42 -0400
> From: Jason Li <jason.li at owasp.org>
> Subject: Re: [Esapi-user] [GPC] Fwd: .NET and
Java WAF
> To: Christian Heinrich
<christian.heinrich at owasp.org>
> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects
Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
>
<CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Christian,
>
> There's no need to "escalate" for recognition.
>
> Any idea can always be submitted to the GPC
and they will be processed
> by Paulo Coimbra like all other requests.
>
> I would encourage the group to read the wiki
article on starting an
> OWASP project
(https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
> and ensure that the group submits the
necessary information.
>
> -Jason
>
> On Tue, Jul 26, 2011 at 8:23 PM, Christian
Heinrich
> <christian.heinrich at owasp.org> wrote:
> > GPC,
> >
> > Please consider this notice that "we" intend
to escalate for
> > recognition as an OWASP Project by the GPC
shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for
discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich
<christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on
repository
> > To: "Calderon, Juan Carlos (GE, Corporate,
consultant)" <juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan
Barnett <ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having
it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an
OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon,
Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a
certified Java developer is helping
> >> me out to finish this project, we have a
progress meeting this Thursday,
> >> also I sent a paper proposal to OWASP LATAM
to present a course on
> >> Mod_security for Java this October (that is
it should be well tested and
> >> finished by then) :)
> >
> > I can note this milestone in the Project
Plan - I will list it for
> > November to account for the unlikely event
that the deadline slips or
> > to demonstrate that we ship it earlier then
expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
> >
_______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> >
https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 26 Jul 2011 19:48:57 -0700 (PDT)
> From: "Normando Macaraeg"
<nmacaraeg at jaspersoft.com>
> Subject: [Esapi-user] using SafeRequest
> To: <esapi-user at lists.owasp.org>
> Message-ID:
<[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> Using the ESAPI Book as my guide, it looks
like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); //
unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request
).getSession(); // safe
> session
>
> But the book says this works only if I enable
the ESAPIFilter. How do I
> enable the ESAPIFilter?
>
> -Norm
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 26 Jul 2011 23:32:01 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] using SafeRequest
> To: Normando Macaraeg
<nmacaraeg at jaspersoft.com>
> Cc: esapi-user at lists.owasp.org
> Message-ID:
>
<CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 10:48 PM, Normando
Macaraeg
> <nmacaraeg at jaspersoft.com> wrote:
> > Hi,
> >
> > Using the ESAPI Book as my guide, it looks
like when I find code that
> > looks like:
> >
> > HttpSession session = request.getSession();
// unsafe session
> >
> > I should change the code to this:
> >
> > HttpSession session = new SafeRequest(
request ).getSession(); // safe
> > session
> >
> > But the book says this works only if I
enable the ESAPIFilter. How do I
> > enable the ESAPIFilter?
>
> You configure it just like any other Java
Servlet filter.
> In your WEB-INF/web.xml file, you would do
something like
> this:
>
> <web-app id="myWebApp">
> ...
> <filter>
> <filter-name>ESAPI-Filter</filter-name>
>
<filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
> <!-- Note: Not sure it has any parameters.
Check the
> sourc code or ask Jeff Williams. I don't have
time
> right now. However, this is how you specify
> parameters. You can have more than one
init-param
> section. -->
> <init-param>
> <param-name>greetings</param-name>
> <param-value>Hello, World</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>ESAPI-Filter</filter-name>
> <url-pattern>/images/*</url-pattern>
> </filter-mapping>
> </filter>
> ...
> </web-app>
>
> The exact syntax may be slightly different
depending on what
> Servlet Spec your JavaEE / servlet container
adheres to. Shown
> above is for Servlet Spec 2.4.
>
> -kevin
> --
> Blog:
http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be
destroyed, most experts agree,
> is by accident. That's where we come in; we're
computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 27 Jul 2011 16:54:00 +1000
> From: Christian Heinrich
<christian.heinrich at owasp.org>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and
Java WAF
> To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Cc: ESAPI-Developers
<esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
>
<CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kevin,
>
> I have dropped the GPC for the moment from
this discussion.
>
> On Wed, Jul 27, 2011 at 11:39 AM, Kevin W.
Wall <kevin.w.wall at gmail.com> wrote:
> > I concur. However, please do keep us in the
loop, especially if you make
> > any changes that would affect out it is used
in ESAPI. I think that we would
> > like to keep it as an option there and also
be able to drop in your latest
> > version.
>
> I can create a dependency in the Project Plan
for this and a SVN tag
> for the attention of EASPI Java.
>
> For your reference, Juan's import from ESAPI
Java was
>
http://code.google.com/p/owasp-java-waf/source/detail?r=2
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
>
_______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
>
https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 20, Issue 12
> ******************************************
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110727/9d09337a/attachment-0001.html
More information about the Esapi-user
mailing list