[Esapi-user] Fwd: Need help in using esapi.js in a JSP file

Chris Schmidt chris.schmidt at owasp.org
Tue May 10 13:59:12 EDT 2011


>       1.isValidaInput method is always returning ‘true’ in spite of URL 
containing scripts.
>         How do I find out if any URL is containing XSS code?

By definition it is indeed a valid URL. I would recommend a custom URL 
Regexp if you are looking to filter "undesirable" parameter values from 
your url, however - with that many parameters on the request my gut feel 
is that should be a POST request, and the parameters should be validated 
individually. Regardless, the validation API on the Javascript side is 
intended to be used to validate individual components, trying to 
validate everything by passing in a huge url value is probably not the 
best approach - even if you do manage to get a custom Regexp working for 
this particular case.

What should be done is:

Base.esapi.properties.validation['FuzzySearch'] = '^[A-Za-z0-9]$';

$ESAPI.validator().isValidInput( "fuzzySearch",
                                                         
document.getElementById("fuzzySearch").value(),
                                                         "FuzzySearch",
                                                         128,
                                                         false);

Bare in mind also that you *cannot* rely on Client-Side validation 
logic, I can bypass your validation simply by disabling javascript in my 
browser (1-Click) and do whatever I want then. The ESAPI4JS Client-Side 
Validation API is simply there to provide a first-level of validation 
(mainly for catching user typo errors and the like, as opposed to 
mitigating attacks).

>       2.The output given by encodeForURL() method doesn’t remove XSS 
code. When I run this URL (along with correct host & port), it >    
        still gives out alert box!
>  How do I get rid of malicious content from URL?

The context you are outputting the data in is actually in an html 
attribute. If you use encodeForHtmlAttribute(op) instead you should not 
recieve the alert popup, the attack will effectively be mitigated. That 
being said, I also encourage people to stay as far away from 
document.writeln() as possible. Using one of the many existing wrappers 
(jquery, yui, dojo, etc.) to perform this low-level task is a much 
better idea, and at the very least creating a container and using the 
innerText attribute is better than using document.writeln().

As for your problem using ESAPI4J - it looks to me like you are using 
Java 1.4, Java 5 is required for ESAPI.

On 5/10/2011 6:38 AM, Mogare Amey wrote:
>
> Hi Chris,
>
> Thank you for reply.
>
> I have arranged the imports as you mentioned and API is now running.
>
> /(by the way, I don’t have access to send mails to ‘gmail’ domain from 
> my Atos Origin id. Hence you might have to reply me with your OWASP id.)/
>
> But I don’t understand how do I use it to validate and clean the URL 
> parameters.
>
> Here is how I have written test html à
>
> <script type="text/javascript" language="JavaScript" 
> src="./lib/log4js.js"></script>
>
> <script type="text/javascript" language="JavaScript" 
> src="./esapi.js"></script>
>
> <script type="text/javascript" language="JavaScript" 
> src="./resources/i18n/ESAPI_Standard_en_US.properties.js"></script>
>
> <script type="text/javascript" language="JavaScript" 
> src="./resources/Base.esapi.properties.js"></script>
>
> <script type="text/javascript" language="JavaScript">
>
>     // Set any custom configuration options here or in an external js 
> file that gets sourced in above.
>
>     Base.esapi.properties.logging['ApplicationLogger'] = {
>
>                                                             Level: 
> org.owasp.esapi.Logger.ALL,
>
>                                                             Appenders: 
> [ new Log4js.ConsoleAppender() ],
>
>                                                             LogUrl: true,
>
>                                                   
>           LogApplicationName: true,
>
>                                                             
> EncodingRequired: true
>
>                                                            };
>
>     Base.esapi.properties.application.Name = "My Application v1.0";
>
>     // Initialize the api
>
>     org.owasp.esapi.ESAPI.initialize();
>
>     // Using the logger
>
>     
> //$ESAPI.logger().getLogger('ApplicationLogger').info(org.owasp.esapi.Logger.EventType.EVENT_SUCCESS, 
> 'This is a test message');
>
>     // Using the encoder
>
>     var urlparam = 
> "/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8%26portal=ce.globalapps.atosorigin.com%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1%27%3balert%281%29//&system=SINEQUA_Search_System&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true";
>
>     if( $ESAPI.validator().isValidInput("URLContext", urlParam, "URL", 
> urlParam.length, false) ) {
>
>         alert("isValidInput = true");
>
>     }else{
>
>         alert("isValidInput = false");
>
>     }
>
>     var op = $ESAPI.encoder().encodeForURL( urlparam);
>
>     document.write("<br><br><a href=\""+op+"\">"+op+"</a>");
>
> </script>
>
> As you can see, this URL contains malicious script in one of the URL 
> parameters.
>
> Now here, I am facing two issues à
>
> 1.isValidaInput method is always returning ‘true’ in spite of URL 
> containing scripts.
>
> How do I find out if any URL is containing XSS code?
>
> 2.The output given by encodeForURL() method doesn’t remove XSS code. 
> When I run this URL (along with correct host & port), it still gives 
> out alert box!
>
> How do I get rid of malicious content from URL?
>
> Also, I need the JAR version of this API as I want to use it in a 
> .java file.
>
> I downloaded “esapi-2.0_rc11-dist.zip” but it has “esapi-2.0_rc11.jar”.
>
> When I imported the JAR file into my java class, it gave following error à
>
> Code : System.out.println("ESAPI.accessController found: 
> "+ESAPI.accessController());
>
> Exception:
>
> java.lang.UnsupportedClassVersionError: org/owasp/esapi/ESAPI 
> (Unsupported major.minor version 49.0)
>
>       at java.lang.ClassLoader.defineClass0(Native Method)
>
>       at java.lang.ClassLoader.defineClass(ClassLoader.java:539)
>
>       at 
> java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
>
>       at java.net.URLClassLoader.defineClass(URLClassLoader.java:251)
>
>       at java.net.URLClassLoader.access$100(URLClassLoader.java:55)
>
>       at java.net.URLClassLoader$1.run(URLClassLoader.java:194)
>
>       at java.security.AccessController.doPrivileged(Native Method)
>
>       at java.net.URLClassLoader.findClass(URLClassLoader.java:187)
>
>       at java.lang.ClassLoader.loadClass(ClassLoader.java:289)
>
>       at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:274)
>
>       at java.lang.ClassLoader.loadClass(ClassLoader.java:235)
>
>       at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)
>
>       at XssTestMain.main(XssTestMain.java:26)
>
> Exception in thread "main"
>
> Thank you.
>
> With warm regards,
>
> *Amey Mogare*
>
> /_Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : 
> Production Line - SAP | Email : Amey.mogare at atosorigin.com 
> <mailto:Amey.mogare at atosorigin.com> | Office : +91-22-6733-3732 | 
> Mobile : +91-9820-303-464_/__
>
> *From:*Chris Schmidt [mailto:chrisisbeef at gmail.com]
> *Sent:* Monday, May 09, 2011 9:33 PM
> *To:* Jim Manico; Mogare Amey
> *Subject:* Re: Fwd: [Esapi-user] Need help in using esapi.js in a JSP file
>
> Interesting that this e-mail never came to me :(
>
> Anyhow, it sounds like you may have the loading order slightly off. 
> Please ensure the correct order as specified below.
>
> <!-- esapi4js dependencies -->
> <script type="text/javascript" language="JavaScript" 
> src="http://localhost/esapi/esapi4js/lib/log4js.js" 
> <http://localhost/esapi/esapi4js/lib/log4js.js>></script>
> <!-- esapi4js core -->
> <script type="text/javascript" language="JavaScript" 
> src="http://localhost/esapi/esapi4js/esapi.js" 
> <http://localhost/esapi/esapi4js/esapi.js>></script>
> <!-- esapi4js i18n resources -->
> <script type="text/javascript" language="JavaScript" 
> src="http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js" 
> <http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js>></script>
> <!-- esapi4js configuration -->
> <script type="text/javascript" language="JavaScript" 
> src="http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js" 
> <http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js>></script>
>
> As an aside, I should note that the jquery-encoder is a much more 
> mature Javascript Encoding library that I have built to address this 
> exact problem. It can be downloaded via the jQuery-Plugins Repository 
> and may be a better solution to your problem.
>
> jQuery-Encoder:
> http://plugins.jquery.com/project/jqencoder
> http://software.digital-ritual.net/jqencoder/
> https://github.com/chrisisbeef/jquery-encoder
>
>
>
> On 5/9/2011 4:39 AM, Jim Manico wrote:
>
>
>
> Jim Manico
>
>
> Begin forwarded message:
>
>     *From:* "Mogare Amey" <Amey.Mogare at atosorigin.com
>     <mailto:Amey.Mogare at atosorigin.com>>
>     *Date:* May 9, 2011 5:56:33 AM EDT
>     *To:* <esapi-user at lists.owasp.org <mailto:esapi-user at lists.owasp.org>>
>     *Subject:* *[Esapi-user] Need help in using esapi.js in a JSP file*
>
>     Hi,
>
>     I am trying to test encodeForURL facility of esapi.js file in
>     following way à
>
>     1.Downloaded ‘esapi4js-0.1.3.zip’
>
>     2.Extracted it inside “C:\AMEY\Nessie\Tickets\JUL
>     2011\UKC4032285-Portculliss security\MyTESTs\esapi\esapi4js-0.1.3”
>
>     3.Created a new ‘MyESAPITest.htm’ file inside same folder in
>     step-2 (attached file)
>
>     4.But when I run this htm file, it gives following error à
>
>     Webpage error details
>
>     User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
>     Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR
>     3.0.04506.648; .NET CLR 3.5.21022)
>
>     Timestamp: Mon, 9 May 2011 09:52:39 UTC
>
>     Message: Object expected
>
>     Line: 14
>
>     Char: 1
>
>     Code: 0
>
>     URI:
>     file:///C:/AMEY/Nessie/Tickets/JUL%202011/UKC4032285-Portculliss%20security/MyTESTs/esapi/esapi4js-0.1.3/resources/Base.esapi.properties.js
>     <file:///C:%5CAMEY%5CNessie%5CTickets%5CJUL%202011%5CUKC4032285-Portculliss%20security%5CMyTESTs%5Cesapi%5Cesapi4js-0.1.3%5Cresources%5CBase.esapi.properties.js>
>
>     Can you please tell me what is going wrong here?
>
>     I want to use this esapi.js library inside a jsp to validate user
>     input to avoid XSS attacks.
>
>     Please help.
>
>     Thank you.
>
>     With warm regards,
>
>     *Amey Mogare*
>
>
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org <mailto:Esapi-user at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/esapi-user
>
>
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110510/faaf3e76/attachment.html 


More information about the Esapi-user mailing list