[Esapi-user] Tricky encoding question

Matthew Presson matthew.presson at gmail.com
Mon Jun 20 10:33:46 EDT 2011


I have come across a scenario in an application and would like some advice
on the subject of applying the proper encoding.


Scenario:
A developer is taking user input and using it to dynamically construct an
URL which is used in an onClick event handler of an <a> tag.  The code (JSP)
looks similar to this:

<a HREF=""
> onClick="window.open('
> http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=request.getParameter("test")%>',
> 'windowRef', '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>



As you can see, param3 is vulnerable to XSS.  The tricky part is that the
data is being used to form a URL (URL Context) but from within a JavaScript
event handler (JavaScript Context).

The question is - Which of the following encoding strategies would be the
right one to use?


Option 1: Only use URL encoding

> <a HREF=""
> onClick="window.open('
> http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=
> OutputEncoder.encodeForURL(request.getParameter("test")) %>', 'windowRef',
> '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>


This option appears to work well, but are still in a JavaScript context and
are unsure if there would still be attack strings that would allow for a
successful XSS attack.


Option 2: Only use JavaScript encoding:

> <a HREF=""
> onClick="window.open('
> http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=
> OutputEncoder.encodeForJavaScript(request.getParameter("test")) %>',
> 'windowRef', '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>


This option works from a security standpoint, but breaks in scenarios where
the value of the parameter *test* is supposed to equal "blah&a=b".  When
using only JavaScript encoding, page.jsp would read the value of param3 as
blah and have an extra parameter named a with the value b instead of having
the value of param3 equal blah&a=b which ultimately results in a functional
defect.


Option 3: Double encode using URL AND JavaScript encoding

> <a HREF=""
> onClick="window.open('
> http://www.example.com/app/page.jsp?param1=a&param2=b&param3=<%=
> OutputEncoder.encodeForJavaScript(OutputEncoder.encodeForURL(
> request.getParameter("test"))) %>', 'windowRef', '
> resizable=yes,scrollbars=yes,status=no,location=no,toolbars=yes,height=500,width=800');
> return false;">link text</a>


This seems to also work, but am not sure about recommending a
double-encoding strategy.  For one, it adds another level of complexity that
could potentially lead to problems down the road.  Secondly, isn't
double-encoding usually frowned upon as a solution?


Please let me know if any of this does not make sense, or if I can provide
you with any additional information.


Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110620/ffe4305e/attachment.html 


More information about the Esapi-user mailing list