[Esapi-user] Fwd: Need help in using esapi.js in a JSP file

Mogare Amey Amey.Mogare at atosorigin.com
Mon May 16 01:13:34 EDT 2011


Hi Chris,

 

Thank you for helpful replies. It guided me in correct direction.

I have created a custom regex to parse the URL.

 

Thank you.

 

With warm regards,

Amey Mogare

 

From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Tuesday, May 10, 2011 11:29 PM
To: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] Fwd: Need help in using esapi.js in a JSP file

 

>      1.    isValidaInput method is always returning ‘true’ in spite of URL containing scripts.
>        How do I find out if any URL is containing XSS code?

By definition it is indeed a valid URL. I would recommend a custom URL Regexp if you are looking to filter "undesirable" parameter values from your url, however - with that many parameters on the request my gut feel is that should be a POST request, and the parameters should be validated individually. Regardless, the validation API on the Javascript side is intended to be used to validate individual components, trying to validate everything by passing in a huge url value is probably not the best approach - even if you do manage to get a custom Regexp working for this particular case. 

What should be done is:

Base.esapi.properties.validation['FuzzySearch'] = '^[A-Za-z0-9]$';

$ESAPI.validator().isValidInput( "fuzzySearch", 
                                                        document.getElementById("fuzzySearch").value(), 
                                                        "FuzzySearch",
                                                        128,
                                                        false);

Bare in mind also that you *cannot* rely on Client-Side validation logic, I can bypass your validation simply by disabling javascript in my browser (1-Click) and do whatever I want then. The ESAPI4JS Client-Side Validation API is simply there to provide a first-level of validation (mainly for catching user typo errors and the like, as opposed to mitigating attacks).

>      2.    The output given by encodeForURL() method doesn’t remove XSS code. When I run this URL (along with correct host & port), it >           still gives out alert box!
>        How do I get rid of malicious content from URL? 

The context you are outputting the data in is actually in an html attribute. If you use encodeForHtmlAttribute(op) instead you should not recieve the alert popup, the attack will effectively be mitigated. That being said, I also encourage people to stay as far away from document.writeln() as possible. Using one of the many existing wrappers (jquery, yui, dojo, etc.) to perform this low-level task is a much better idea, and at the very least creating a container and using the innerText attribute is better than using document.writeln().

As for your problem using ESAPI4J - it looks to me like you are using Java 1.4, Java 5 is required for ESAPI.

On 5/10/2011 6:38 AM, Mogare Amey wrote: 

Hi Chris,

 

Thank you for reply.

I have arranged the imports as you mentioned and API is now running.

(by the way, I don’t have access to send mails to ‘gmail’ domain from my Atos Origin id. Hence you might have to reply me with your OWASP id.)

 

But I don’t understand how do I use it to validate and clean the URL parameters.

Here is how I have written test html à

 

<script type="text/javascript" language="JavaScript" src="./lib/log4js.js"></script>

<script type="text/javascript" language="JavaScript" src="./esapi.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/i18n/ESAPI_Standard_en_US.properties.js"></script>

<script type="text/javascript" language="JavaScript" src="./resources/Base.esapi.properties.js"></script>

 

<script type="text/javascript" language="JavaScript">

    // Set any custom configuration options here or in an external js file that gets sourced in above.

    Base.esapi.properties.logging['ApplicationLogger'] = {

                                                            Level: org.owasp.esapi.Logger.ALL,

                                                            Appenders: [ new Log4js.ConsoleAppender() ],

                                                            LogUrl: true,

                                                            LogApplicationName: true,

                                                            EncodingRequired: true

                                                           };

 

    Base.esapi.properties.application.Name = "My Application v1.0";

 

    // Initialize the api

    org.owasp.esapi.ESAPI.initialize();

 

    // Using the logger

    //$ESAPI.logger().getLogger('ApplicationLogger').info(org.owasp.esapi.Logger.EventType.EVENT_SUCCESS, 'This is a test message');

 

    // Using the encoder

    var urlparam = "/search/search%3Fdomain=sinequa%26profile=DAS%26encoding=utf-8%26portal=ce.globalapps.atosorigin.com%26token=%26text=x%26selScope=%26advanced=0%26search-btn-submit=Search%26precision=%26strategy=%26sort=globalrelevance.desc%26after=%26before=%26sourcecsv1=%26doctype=%26docformat=%26questionlanguage=autodetect%26documentlanguages=%26treepath-0=%26phonetics=1%26fuzzysearch=1%27%3balert%281%29//&system=SINEQUA_Search_System&windowId=WID1290076312917&NavigationTarget=ROLES%3Aportal_content%2Fcom.atosorigin.layout.AoPortalLayoutFolder%2Fcom.atosorigin.layout.iViews%2Fcom.atosorigin.atosSearch&RelativeNavBase=&Command=SUSPEND&SerPropString=&SerKeyString=&SerAttrKeyString=&DebugSet=&Embedded=true&SessionKeysAvailable=true";

    

    if( $ESAPI.validator().isValidInput("URLContext", urlParam, "URL", urlParam.length, false) ) {  

        alert("isValidInput = true");

    }else{

        alert("isValidInput = false");

    }

 

    var op = $ESAPI.encoder().encodeForURL( urlparam);

    document.write("<br><br><a href=\""+op+"\">"+op+"</a>");

    

 

</script>

 

 

As you can see, this URL contains malicious script in one of the URL parameters.

 

Now here, I am facing two issues à

isValidaInput method is always returning ‘true’ in spite of URL containing scripts.

How do I find out if any URL is containing XSS code?

The output given by encodeForURL() method doesn’t remove XSS code. When I run this URL (along with correct host & port), it still gives out alert box!

How do I get rid of malicious content from URL?

 

Also, I need the JAR version of this API as I want to use it in a .java file.

I downloaded “esapi-2.0_rc11-dist.zip” but it has “esapi-2.0_rc11.jar”.

When I imported the JAR file into my java class, it gave following error à

 

Code : System.out.println("ESAPI.accessController found: " + ESAPI.accessController());

Exception: 

java.lang.UnsupportedClassVersionError: org/owasp/esapi/ESAPI (Unsupported major.minor version 49.0)

      at java.lang.ClassLoader.defineClass0(Native Method)

      at java.lang.ClassLoader.defineClass(ClassLoader.java:539)

      at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)

      at java.net.URLClassLoader.defineClass(URLClassLoader.java:251)

      at java.net.URLClassLoader.access$100(URLClassLoader.java:55)

      at java.net.URLClassLoader$1.run(URLClassLoader.java:194)

      at java.security.AccessController.doPrivileged(Native Method)

      at java.net.URLClassLoader.findClass(URLClassLoader.java:187)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:289)

      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:274)

      at java.lang.ClassLoader.loadClass(ClassLoader.java:235)

      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)

      at XssTestMain.main(XssTestMain.java:26)

Exception in thread "main"

 

 

Thank you.

 

With warm regards,

Amey Mogare

Atos Origin India | SAP NetWeaver/ EP/ Web Dynpro | Nessie NDC : Production Line - SAP | Email : Amey.mogare at atosorigin.com | Office : +91-22-6733-3732 | Mobile : +91-9820-303-464

 

From: Chris Schmidt [mailto:chrisisbeef at gmail.com] 
Sent: Monday, May 09, 2011 9:33 PM
To: Jim Manico; Mogare Amey
Subject: Re: Fwd: [Esapi-user] Need help in using esapi.js in a JSP file

 

Interesting that this e-mail never came to me :(

Anyhow, it sounds like you may have the loading order slightly off. Please ensure the correct order as specified below.

<!-- esapi4js dependencies -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/lib/log4js.js" <http://localhost/esapi/esapi4js/lib/log4js.js> ></script>
<!-- esapi4js core -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/esapi.js" <http://localhost/esapi/esapi4js/esapi.js> ></script>
<!-- esapi4js i18n resources -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js" <http://localhost/esapi/esapi4js/resources/i18n/ESAPI_Standard_en_US.properties.js> ></script>
<!-- esapi4js configuration -->
<script type="text/javascript" language="JavaScript" src="http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js" <http://localhost/esapi/esapi4js/resources/Base.esapi.properties.js> ></script>

As an aside, I should note that the jquery-encoder is a much more mature Javascript Encoding library that I have built to address this exact problem. It can be downloaded via the jQuery-Plugins Repository and may be a better solution to your problem.

jQuery-Encoder: 
http://plugins.jquery.com/project/jqencoder
http://software.digital-ritual.net/jqencoder/
https://github.com/chrisisbeef/jquery-encoder



On 5/9/2011 4:39 AM, Jim Manico wrote: 



Jim Manico


Begin forwarded message:

	From: "Mogare Amey" <Amey.Mogare at atosorigin.com>
	Date: May 9, 2011 5:56:33 AM EDT
	To: <esapi-user at lists.owasp.org>
	Subject: [Esapi-user] Need help in using esapi.js in a JSP file

	Hi,

	 

	I am trying to test encodeForURL facility of esapi.js file in following way à

	 

	1.    Downloaded ‘esapi4js-0.1.3.zip’

	2.    Extracted it inside “C:\AMEY\Nessie\Tickets\JUL 2011\UKC4032285-Portculliss security\MyTESTs\esapi\esapi4js-0.1.3”

	3.    Created a new ‘MyESAPITest.htm’ file inside same folder in step-2 (attached file)

	4.    But when I run this htm file, it gives following error à

	 

	Webpage error details

	 

	User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

	Timestamp: Mon, 9 May 2011 09:52:39 UTC

	 

	Message: Object expected

	Line: 14

	Char: 1

	Code: 0

	URI: file:///C:/AMEY/Nessie/Tickets/JUL%202011/UKC4032285-Portculliss%20security/MyTESTs/esapi/esapi4js-0.1.3/resources/Base.esapi.properties.js <file:///C:%5CAMEY%5CNessie%5CTickets%5CJUL%202011%5CUKC4032285-Portculliss%20security%5CMyTESTs%5Cesapi%5Cesapi4js-0.1.3%5Cresources%5CBase.esapi.properties.js> 

	 

	Can you please tell me what is going wrong here?

	 

	I want to use this esapi.js library inside a jsp to validate user input to avoid XSS attacks. 

	 

	Please help.

	 

	Thank you.

	 

	With warm regards,

	Amey Mogare

	 







_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

 
 
_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110516/f8a26775/attachment.html 


More information about the Esapi-user mailing list