[Esapi-user] Fwd: Need help in using esapi.js in a JSP file

Mogare Amey Amey.Mogare at atosorigin.com
Tue May 10 08:38:43 EDT 2011


Hi Chris,

 

Thank you for reply.

I have arranged the imports as you mentioned and API is now running.

(by the way, I don’t have access to send mails to ‘gmail’ domain from my Atos Origin id. Hence you might have to reply me with your OWASP id.)

 

But I don’t understand how do I use it to validate and clean the URL parameters.

Here is how I have written test html à

 

<script type="text/javascript" language="JavaScript" src="./lib/log4js.js"></script>

<script type="text/javascript" language="JavaScript" src="./esapi.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/i18n/ESAPI_Standard_en_US.properties.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/Base.esapi.properties.js"></script>

 

<script type="text/javascript" language="JavaScript">

    // Set any custom configuration options here or in an external js file that gets sourced in above.

    Base.esapi.properties.logging['ApplicationLogger'] = {

                                                            Level: org.owasp.esapi.Logger.ALL,

                                                            Appenders: [ new Log4js.ConsoleAppender() ],

                                                            LogUrl: true,

                                                            LogApplicationName: true,

                                                            EncodingRequired: true

                                                           };

 

    Base.esapi.properties.application.Name = "My Application v1.0";

 

    // Initialize the api

    org.owasp.esapi.ESAPI.initialize();

 

    // Using the logger

    //$ESAPI.logger().getLogger('ApplicationLogger').info(org.owasp.esapi.Logger.EventType.EVENT_SUCCESS, 'This is a test message');

 

    // Using the encoder

    var urlparam = "/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8%26portal=ce.globalapps.atosorigin.com%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1%27%3balert%281%29//&system=SINEQUA_Search_System&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true";

    

    if( $ESAPI.validator().isValidInput("URLContext", urlParam, "URL", urlParam.length, false) ) {  

        alert("isValidInput = true");

    }else{

        alert("isValidInput = false");

    }

 

    var op = $ESAPI.encoder().encodeForURL( urlparam);

    document.write("<br><br><a href=\""+op+"\">"+op+"</a>");

    

 

</script>

 

 

As you can see, this URL contains malicious script in one of the URL parameters.

 

Now here, I am facing two issues à

1.    isValidaInput method is always returning ‘true’ in spite of URL containing scripts.

How do I find out if any URL is containing XSS code?

2.    The output given by encodeForURL() method doesn’t remove XSS code. When I run this URL (along with correct host & port), it still gives out alert box!

How do I get rid of malicious content from URL?

 

Also, I need the JAR version of this API as I want to use it in a .java file.

I downloaded “esapi-2.0_rc11-dist.zip” but it has “esapi-2.0_rc11.jar”.

When I imported the JAR file into my java class, it gave following error à

 

Code : System.out.println("ESAPI.accessController found: " + ESAPI.accessController());

Exception: 

java.lang.UnsupportedClassVersionError: org/owasp/esapi/ESAPI (Unsupported major.minor version 49.0)

      at java.lang.ClassLoader.defineClass0(Native Method)

      at java.lang.ClassLoader.defineClass(ClassLoader.java:539)

      at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)

      at java.net.URLClassLoader.defineClass(URLClassLoader.java:251)

      at java.net.URLClassLoader.access$100(URLClassLoader.java:55)

      at java.net.URLClassLoader$1.run(URLClassLoader.java:194)

      at java.security.AccessController.doPrivileged(Native Method)

      at java.net.URLClassLoader.findClass(URLClassLoader.java:187)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:289)

      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:274)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:235)

      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)

      at XssTestMain.main(XssTestMain.java:26)

Exception in thread "main"

 

 

Thank you.

 

With warm regards,

Amey Mogare

Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : Production Line - SAP | Email : Amey.mogare at atosorigin.com <mailto:Amey.mogare at atosorigin.com>  | Office : +91-22-6733-3732 | Mobile : +91-9820-303-464

 

From: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Sent: Monday, May 09, 2011 9:33 PM
To: Jim Manico; Mogare Amey
Subject: Re: Fwd: [Esapi-user] Need help in using esapi.js in a JSP file

 

Interesting that this e-mail never came to me :(

Anyhow, it sounds like you may have the loading order slightly off. Please ensure the correct order as specified below.

<!-- esapi4js dependencies -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/lib/log4js.js" <http://localhost/esapi/esapi4js/lib/log4js.js> ></script>
<!-- esapi4js core -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/esapi.js" <http://localhost/esapi/esapi4js/esapi.js> ></script>
<!-- esapi4js i18n resources -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js" <http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js> ></script>
<!-- esapi4js configuration -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js" <http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js> ></script>

As an aside, I should note that the jquery-encoder is a much more mature Javascript Encoding library that I have built to address this exact problem. It can be downloaded via the jQuery-Plugins Repository and may be a better solution to your problem.

jQuery-Encoder: 
http://plugins.jquery.com/project/jqencoder
http://software.digital-ritual.net/jqencoder/
https://github.com/chrisisbeef/jquery-encoder



On 5/9/2011 4:39 AM, Jim Manico wrote: 



Jim Manico


Begin forwarded message:

	From: "Mogare Amey" <Amey.Mogare at atosorigin.com>
	Date: May 9, 2011 5:56:33 AM EDT
	To: <esapi-user at lists.owasp.org>
	Subject: [Esapi-user] Need help in using esapi.js in a JSP file

	Hi,

	 

	I am trying to test encodeForURL facility of esapi.js file in following way à

	 

	1.    Downloaded ‘esapi4js-0.1.3.zip’

	2.    Extracted it inside “C:\AMEY\Nessie\Tickets\JUL 2011\UKC4032285-Portculliss security\MyTESTs\esapi\esapi4js-0.1.3”

	3.    Created a new ‘MyESAPITest.htm’ file inside same folder in step-2 (attached file)

	4.    But when I run this htm file, it gives following error à

	 

	Webpage error details

	 

	User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

	Timestamp: Mon, 9 May 2011 09:52:39 UTC

	 

	Message: Object expected

	Line: 14

	Char: 1

	Code: 0

	URI: file:///C:/AMEY/Nessie/Tickets/JUL%202011/UKC4032285-Portculliss%20security/MyTESTs/esapi/esapi4js-0.1.3/resources/Base.esapi.properties.js <file:///C:%5CAMEY%5CNessie%5CTickets%5CJUL%202011%5CUKC4032285-Portculliss%20security%5CMyTESTs%5Cesapi%5Cesapi4js-0.1.3%5Cresources%5CBase.esapi.properties.js> 

	 

	Can you please tell me what is going wrong here?

	 

	I want to use this esapi.js library inside a jsp to validate user input to avoid XSS attacks. 

	 

	Please help.

	 

	Thank you.

	 

	With warm regards,

	Amey Mogare

	 






_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110510/83ee7136/attachment.html 


More information about the Esapi-user mailing list