[Esapi-user] ESAPI integration with Spring + DWR

Chris Schmidt chrisisbeef at gmail.com
Sun Jun 12 04:06:26 EDT 2011


You may wish to check out the esapi community, while this is only in it's infant stage; it is exactly where this type of contribution belongs. Right now the only spring integrations are with the authenticator and propertyplaceholderconfigurer. 

From an implementation frame of view - an interceptor would be your best bet. You could use the Validator.isValidXXX family of methods on user supplied data. The only real issue I forsee is that this doesn't provide full scope validation and should only be used as a first line of defense coupled with a jsr-303 solution such as hibernate validator 

For output encoding with jstl this integration is a bit trickier. I generally use freemarker or velocity as the view rendering technology and in both languages you can use user-defined macros to do your output encoding. I would have to look a little closer to see what it would take to do something similar with jstl tags. You may be able to use spring-aop to proxy the tag classes and infer encoding context at runtime, and I know there are projects performing similar types of runtime encoding, but this has a performance cost when done correctly and I haven't seen what I would call a 'solid' implementation of this concept as of yet. Sounds like a good experiment for my 8 hour flight from Dublin to Chicago  today! :)

Sent from my iPwn

On Jun 11, 2011, at 7:26 PM, Alex <azlist1 at gmail.com> wrote:

> Hi again, 
> 
> I am developing a web-application using Spring MVC and DWR for the "View" (as in MVC) portion of the application.
> 
> I googled a while for an integration of ESAPI with spring but I couldn't find anything other that forum posts, and discussions on the subject with no concrete implementation. 
> 
> My search is mainly focused on input sanitization. My Idea would be to have a spring MVC filter that would automatically cleanup and eventually reject "poisonned" HTTP requests  (SQL injection etc...) even before a validation of input is attempted (using the spring validators/controller framework). 
> 
> Has anyone heard of such an implementation? 
> I'm looking for a Spring filter that would nicely integrate with the ESAPI reference implementation. 
> 
> Also I am using DWR to perform all the async stuff. I have integrated DWR with spring using config files and as far as I can tell all DWR input can follow  the regular Spring http request flow provided I configure it propeerly. that would mean that the Spring ESAPI filter discussed above could be used to validate DWR input as well. 
> 
> Does any one have experience with this ?
> Has anybody gone down this road yet?
> 
> I would happily start a small project for this and contribute back provided someone can put me on the right tracks :) 
> 
> Thank you for helping.
> 
> Alex
> 
> 
> 
>  
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list