[Esapi-user] Esapi-user Digest, Vol 20, Issue 12

Jim Manico jim.manico at owasp.org
Thu Jul 28 01:25:43 EDT 2011


Jeff,

If you dig into latest versions of Oracle JDBC drivers (which you can
decompile with Jad) you will find that the parameterization is a LOT more
complex than simple encoding. The driver needs to dynamically understand the
context before applying encoding or other defensive logic.

Also, straight SQL gets to be very long fast and there are situations where
your query string is so long that it exceeded query size limits for straight
SQL. Parameterization gives you a lot more room to breathe. Edge case but
real.

Parameterization also provides significant performance enhancements and
caching when you have a lot of duplicate queries running.  Edge cases where
parameterization hurts performance has been fixed in recent versions of
Oracle.

Jeff - Your encoder work is good. But I hope that we can agree that
Parameterization and Binding is the best approach to provide high-assurance
from SQL injection. Manual escaping is last resort that does not provide
high-assurance defense from SQL injection.

Fair comments?

- Jim Manico

On Jul 27, 2011, at 10:30 PM, "Jeff Williams" <
jeff.williams at aspectsecurity.com> wrote:

Codecs aren’t a last resort for canonicalization and input validation, which
is required for attack detection like what is done in AppSensor.  More
fundamentally, I think these codecs are exactly the type of fundamental
building blocks that are required before we (as an industry) can move past
injection and get to harder problems.  I say we just build these out, get
them right, and move on.



As far as I know, there’s nothing that prevents a codec from supporting a
changeable escape syntax.  We sort of support that with the two modes in the
MySQLCodec.



--Jeff





*From:* Jim Manico [mailto:jim.manico at owasp.org]
*Sent:* Wednesday, July 27, 2011 6:35 PM
*To:* Jeff Williams
*Cc:* Rama Krishna Pathangi; ESAPI User Group
*Subject:* Re: [Esapi-user] Esapi-user Digest, Vol 20, Issue 12



Jeff,



I agree these encoders belong in ESAPI but only as a last resort.



Case and point: You can change Oracles escape character dynamically and the
JDBC driver would pick that up, but a hard coded escape function would not,
leaving you injectable.



But still Jeff, as a last resort or as a stopgap measure, I agree.


- Jim Manico


On Jul 27, 2011, at 5:27 PM, "Jeff Williams" <
jeff.williams at aspectsecurity.com> wrote:

Perhaps he is interested in canonicalization?  There are plenty of good
reasons to have a SQLServer codec in ESAPI.



There were some discussions around this a while back, and maybe even an
implementation.  Would you be interested in helping put this together?

--Jeff






On Jul 27, 2011, at 5:22 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

Rama,



This is a deeply fragile way to stop XSS. Can you just use parameterized
queries with data binding? We heavily recommend this as the best way to stop
SQL injection.

- Jim Manico


On Jul 27, 2011, at 12:48 PM, Rama Krishna Pathangi <rpathangi at hotmail.com>
wrote:

Hello,

We are currently using ESAPI 2.0 GA.
In line with the following, I was wondering if we can have a codec for
SQLServer in your future release.
SAPI.encoder().encodeForSQL( new OracleCodec(), dirtyString );
SAPI.encoder().encodeForSQL( new DB2Codec(), dirtyString );

--
Rama Krishna Rao Pathangi
[c] 1 503 962 9480
[f]  1 801 409 7951



> From: esapi-user-request at lists.owasp.org
> Subject: Esapi-user Digest, Vol 20, Issue 12
> To: esapi-user at lists.owasp.org
> Date: Wed, 27 Jul 2011 12:00:05 -0400
>
> Send Esapi-user mailing list submissions to
> esapi-user at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.owasp.org/mailman/listinfo/esapi-user
> or, via email, send a message with subject or body 'help' to
> esapi-user-request at lists.owasp.org
>
> You can reach the person managing the list at
> esapi-user-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Esapi-user digest..."
>
>
> Today's Topics:
>
> 1. Re: [Esapi-dev] ESAPI 2.0.1 Released (Dave Wolf)
> 2. Fwd: .NET and Java WAF (Christian Heinrich)
> 3. Re: .NET and Java WAF (Jim Manico)
> 4. Re: [Esapi-dev] .NET and Java WAF (Kevin W. Wall)
> 5. Re: [GPC] Fwd: .NET and Java WAF (Jason Li)
> 6. using SafeRequest (Normando Macaraeg)
> 7. Re: using SafeRequest (Kevin W. Wall)
> 8. Re: [Esapi-dev] .NET and Java WAF (Christian Heinrich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 26 Jul 2011 17:14:12 +0000
> From: Dave Wolf <dave.wolf at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] ESAPI 2.0.1 Released
> To: ESAPI Dev List <esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org" <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAF1Q6Q3EHDgAwCheTt6e9E3HmZd+smu3eVSkEj8dqpHV1nRpyA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> FYI, I'm not finding 2.0.1 on Maven Central. The most current release that
> shows up is 2.0GA. I'm searching using:
> g:"org.owasp.esapi" AND a:"esapi" AND v:"2.0.1"
>
> Any ideas what is going on?
>
> Thanks,
>
> Dave Wolf
>
> Date: Mon, 25 Jul 2011 08:01:35 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-dev] ESAPI 2.0.1 Released
> To: Chris Schmidt <chris.schmidt at owasp.org>
> Cc: ESAPI Devs <esapi-dev at lists.owasp.org>,
> "Esapi-user at lists.owasp.org" <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAOPE6PhgP5NnFLxA2nBKKCG5P39N4vuTU0+U1U3SmbcC_eY2kA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Mon, Jul 25, 2011 at 4:44 AM, Chris Schmidt <chris.schmidt at owasp.org>
> wrote:
> > Due to popular demand ESAPI 2.0.1 has been released with some minor (but
> > important) bug fixes. The changelist is below.
> > [snip]
> > Change log from 2.0.GA <http://2.0.ga/> to 2.0.1
> >
> > 2011-07-25 00:01:38 chrisisbeef /trunk/pom.xml v 1858
> >
> > Removed version from project name... Fixes Issue #235
> > 2011-07-24 23:56:06 chrisisbeef
> > /trunk/configuration/esapi/
> ESAPI.properties v 1857
> > /trunk/src/test/java/org/owasp/esapi/reference/ValidatorTest.java v 1857
> >
> > Resolves issue #46 - allow context path to have leading slash or be
empty
> > 2011-07-23 14:36:17 chrisisbeef
> >
>
/trunk/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
> > v 1856
> >
> > Get rid of really irritating stacktrace everytime esapi loads.
> >
> > fixes issue #220
> > 2011-07-23 14:25:45 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultValidator.java v
> 1855
> >
> > Resolve issue 232 Validation Type Error
> > 2011-07-23 14:17:34 chrisisbeef
> > /trunk/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java v
1854
> >
> > Fix issue 231 inverted logic error with canonicalization.
>
> Chris,
>
> Well, let me be amongst the first to publically congratulate you for
pushing
> out these fixes, and especially issue #46, which I pretty much dropped the
> ball on.
>
> Thanks for your hard work. The whole ESAPI community owes you a beer!
> Great job.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
> Dave Wolf
>
> "There is no passion to be found playing small - in settling for a life
that
> is less than the one you are capable of living." --Nelson Mandela
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
https://lists.owasp.org/pipermail/esapi-user/attachments/20110726/f6fa9b61/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 27 Jul 2011 10:23:39 +1000
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Subject: [Esapi-user] Fwd: .NET and Java WAF
> To: Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAFCvB5JThsd3g2AKP9kthkHKcywgj7dbK4r9JaMtqtVd3WEmZA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> GPC,
>
> Please consider this notice that "we" intend to escalate for
> recognition as an OWASP Project by the GPC shortly after BlackHat and
> DefCon.
>
> Hence I have CC ESAPI Mailing List for discussion in the interim until
> the @owasp.org Mailing Lists are created.
>
> Juan, Ryan, Jason and Jason have been BCC.
>
> ---------- Forwarded message ----------
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Date: Tue, Jul 26, 2011 at 8:33 AM
> Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
>
>
> Juan,
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > What do you mean closing this off? Having it ready or defining is an
> > OWASP project?
>
> I was referring too having it listed as an OWASP Project, such as an
> associated mailing list, etc.
>
> On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> consultant) <juan.calderon at ge.com> wrote:
> > Just as a small update, Aldo Salas a certified Java developer is helping
> > me out to finish this project, we have a progress meeting this Thursday,
> > also I sent a paper proposal to OWASP LATAM to present a course on
> > Mod_security for Java this October (that is it should be well tested and
> > finished by then) :)
>
> I can note this milestone in the Project Plan - I will list it for
> November to account for the unlikely event that the deadline slips or
> to demonstrate that we ship it earlier then expected :)
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 26 Jul 2011 19:25:14 -0500
> From: Jim Manico <jim.manico at owasp.org>
> Subject: Re: [Esapi-user] .NET and Java WAF
> To: Christian Heinrich <christian.heinrich at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID: <-2981349937657456396 at unknownmsgid>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I totally support splitting the ESAPI WAF into a brand new project. Go
> for it - and great work!
>
> - Jim Manico
>
> On Jul 26, 2011, at 7:23 PM, Christian Heinrich
> <christian.heinrich at owasp.org> wrote:
>
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich <christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 26 Jul 2011 21:39:10 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: Jim Manico <jim.manico at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
> <CAOPE6Ph85Po+9Qs6d96GzYg4=5j5sYXQOU7JFEpJgF+o8iX_dg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 8:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
> > I totally support splitting the ESAPI WAF into a brand new project. Go
> > for it - and great work!
>
> Christian,
>
> I concur. However, please do keep us in the loop, especially if you make
> any changes that would affect out it is used in ESAPI. I think that we
would
> like to keep it as an option there and also be able to drop in your latest
> version.
>
> Thanks,
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." ? ? ? ?-- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 26 Jul 2011 21:51:42 -0400
> From: Jason Li <jason.li at owasp.org>
> Subject: Re: [Esapi-user] [GPC] Fwd: .NET and Java WAF
> To: Christian Heinrich <christian.heinrich at owasp.org>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>, Global Projects Committee
> <global-projects-committee at lists.owasp.org>
> Message-ID:
> <CAPfGuxawWMudERxnbN+-LfKZQ1tMfhUVs69fs9ntWkjHOiNPjg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Christian,
>
> There's no need to "escalate" for recognition.
>
> Any idea can always be submitted to the GPC and they will be processed
> by Paulo Coimbra like all other requests.
>
> I would encourage the group to read the wiki article on starting an
> OWASP project (
https://www.owasp.org/index.php/How_to_Start_an_OWASP_Project)
> and ensure that the group submits the necessary information.
>
> -Jason
>
> On Tue, Jul 26, 2011 at 8:23 PM, Christian Heinrich
> <christian.heinrich at owasp.org> wrote:
> > GPC,
> >
> > Please consider this notice that "we" intend to escalate for
> > recognition as an OWASP Project by the GPC shortly after BlackHat and
> > DefCon.
> >
> > Hence I have CC ESAPI Mailing List for discussion in the interim until
> > the @owasp.org Mailing Lists are created.
> >
> > Juan, Ryan, Jason and Jason have been BCC.
> >
> > ---------- Forwarded message ----------
> > From: Christian Heinrich <christian.heinrich at owasp.org>
> > Date: Tue, Jul 26, 2011 at 8:33 AM
> > Subject: Re: [Esapi-user] WAF 2.0? alpha on repository
> > To: "Calderon, Juan Carlos (GE, Corporate, consultant)" <
juan.calderon at ge.com>
> > Cc: Jim Manico <jim.manico at owasp.org>, Ryan Barnett <
ryan.barnett at owasp.org>
> >
> >
> > Juan,
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> What do you mean closing this off? Having it ready or defining is an
> >> OWASP project?
> >
> > I was referring too having it listed as an OWASP Project, such as an
> > associated mailing list, etc.
> >
> > On Tue, Jul 26, 2011 at 6:02 AM, Calderon, Juan Carlos (GE, Corporate,
> > consultant) <juan.calderon at ge.com> wrote:
> >> Just as a small update, Aldo Salas a certified Java developer is
helping
> >> me out to finish this project, we have a progress meeting this
Thursday,
> >> also I sent a paper proposal to OWASP LATAM to present a course on
> >> Mod_security for Java this October (that is it should be well tested
and
> >> finished by then) :)
> >
> > I can note this milestone in the Project Plan - I will list it for
> > November to account for the unlikely event that the deadline slips or
> > to demonstrate that we ship it earlier then expected :)
> >
> >
> > --
> > Regards,
> > Christian Heinrich
> > http://www.owasp.org/index.php/user:cmlh
> > _______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
> >
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 26 Jul 2011 19:48:57 -0700 (PDT)
> From: "Normando Macaraeg" <nmacaraeg at jaspersoft.com>
> Subject: [Esapi-user] using SafeRequest
> To: <esapi-user at lists.owasp.org>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi,
>
> Using the ESAPI Book as my guide, it looks like when I find code that
> looks like:
>
> HttpSession session = request.getSession(); // unsafe session
>
> I should change the code to this:
>
> HttpSession session = new SafeRequest( request ).getSession(); // safe
> session
>
> But the book says this works only if I enable the ESAPIFilter. How do I
> enable the ESAPIFilter?
>
> -Norm
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 26 Jul 2011 23:32:01 -0400
> From: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Subject: Re: [Esapi-user] using SafeRequest
> To: Normando Macaraeg <nmacaraeg at jaspersoft.com>
> Cc: esapi-user at lists.owasp.org
> Message-ID:
> <CAOPE6Pj3joRXWCo8bJY+BJPDy9Z_om-AZDkokumJEiSFganNPQ at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Tue, Jul 26, 2011 at 10:48 PM, Normando Macaraeg
> <nmacaraeg at jaspersoft.com> wrote:
> > Hi,
> >
> > Using the ESAPI Book as my guide, it looks like when I find code that
> > looks like:
> >
> > HttpSession session = request.getSession(); // unsafe session
> >
> > I should change the code to this:
> >
> > HttpSession session = new SafeRequest( request ).getSession(); // safe
> > session
> >
> > But the book says this works only if I enable the ESAPIFilter. How do I
> > enable the ESAPIFilter?
>
> You configure it just like any other Java Servlet filter.
> In your WEB-INF/web.xml file, you would do something like
> this:
>
> <web-app id="myWebApp">
> ...
> <filter>
> <filter-name>ESAPI-Filter</filter-name>
> <filter-class>org.owasp.esapi.filters.ESAPIFilter</filter-class>
> <!-- Note: Not sure it has any parameters. Check the
> sourc code or ask Jeff Williams. I don't have time
> right now. However, this is how you specify
> parameters. You can have more than one init-param
> section. -->
> <init-param>
> <param-name>greetings</param-name>
> <param-value>Hello, World</param-value>
> </init-param>
> </filter>
>
> <filter-mapping>
> <filter-name>ESAPI-Filter</filter-name>
> <url-pattern>/images/*</url-pattern>
> </filter-mapping>
> </filter>
> ...
> </web-app>
>
> The exact syntax may be slightly different depending on what
> Servlet Spec your JavaEE / servlet container adheres to. Shown
> above is for Servlet Spec 2.4.
>
> -kevin
> --
> Blog: http://off-the-wall-security.blogspot.com/
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We *cause* accidents." -- Nathaniel Borenstein
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 27 Jul 2011 16:54:00 +1000
> From: Christian Heinrich <christian.heinrich at owasp.org>
> Subject: Re: [Esapi-user] [Esapi-dev] .NET and Java WAF
> To: "Kevin W. Wall" <kevin.w.wall at gmail.com>
> Cc: ESAPI-Developers <esapi-dev at lists.owasp.org>, ESAPI-Users
> <Esapi-user at lists.owasp.org>
> Message-ID:
> <CAFCvB5Lq+GHVgySp+Z0do4x0w4RdN1YF1wy5Bbk4PrXLeQcK6A at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Kevin,
>
> I have dropped the GPC for the moment from this discussion.
>
> On Wed, Jul 27, 2011 at 11:39 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:
> > I concur. However, please do keep us in the loop, especially if you make
> > any changes that would affect out it is used in ESAPI. I think that we
would
> > like to keep it as an option there and also be able to drop in your
latest
> > version.
>
> I can create a dependency in the Project Plan for this and a SVN tag
> for the attention of EASPI Java.
>
> For your reference, Juan's import from ESAPI Java was
> http://code.google.com/p/owasp-java-waf/source/detail?r=2
>
>
> --
> Regards,
> Christian Heinrich
> http://www.owasp.org/index.php/user:cmlh
>
>
> ------------------------------
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> End of Esapi-user Digest, Vol 20, Issue 12
> ******************************************

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110728/be23b99d/attachment.html 


More information about the Esapi-user mailing list