[Esapi-user] ESAPI Validation Problem
chrisisbeef at gmail.com
Fri Mar 22 18:15:04 UTC 2013
It would probably be easier just to modify the regex being used for HTTP
Parameter validation to allow the ':' character. Beyond that, byte-stuffing
is perfectly ok as long as you white-list the byte's that are allowed in
other words, don't blindly unpack anything that looks like
From: Chris Barlock <barlock at us.ibm.com>
Date: Friday, March 22, 2013 12:08 PM
To: ESAPI Users <esapi-user at lists.owasp.org>
Subject: [Esapi-user] ESAPI Validation Problem
I recently added the ESAPI code for HTTP parameter validation in our JSPs.
Our vulnerability scans now report zero cross-site scripting
vulnerabilities, which is very good. Unfortunately, it causes a couple of
other problems for use because sometimes we pass parameters that contain a
colon on an HTTP GET request. A colon is, apparently, not a valid character
in an HTTP parameter, so the validator throws an exception on such strings.
One person on our team suggested URL encoding the parameters and then using
something that would pass through the validator, say __3A. The string could
be unstuffed, I think, either in the JSP processing or back in the
Thoughts on this from a secure computing perspective? Other suggestions?
Chris_______________________________________________ Esapi-user mailing list
Esapi-user at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-user