[Esapi-user] ESAPI Validation Problem

Chris Schmidt chrisisbeef at gmail.com
Fri Mar 22 18:15:04 UTC 2013


It would probably be easier just to modify the regex being used for HTTP
Parameter validation to allow the ':' character. Beyond that, byte-stuffing
is perfectly ok as long as you white-list the byte's that are allowed ­ in
other words, don't blindly unpack anything that looks like
__[0-9a-f][0-9a-f] 

~C

From:  Chris Barlock <barlock at us.ibm.com>
Date:  Friday, March 22, 2013 12:08 PM
To:  ESAPI Users <esapi-user at lists.owasp.org>
Subject:  [Esapi-user] ESAPI Validation Problem

I recently added the ESAPI  code for HTTP parameter validation in our JSPs.
Our vulnerability scans now report zero cross-site scripting
vulnerabilities, which is very good. Unfortunately, it causes a couple of
other problems for use because sometimes we pass parameters that contain a
colon on an HTTP GET request.  A colon is, apparently, not a valid character
in an HTTP parameter, so the validator throws an exception on such strings.
One person on our team suggested URL encoding the parameters and then using
a form of byte-stuffing in the Javascript to change the %3A (colon) to
something that would pass through the validator, say __3A.  The string could
be unstuffed, I think, either in the JSP processing or back in the
Javascript. 

Thoughts on this from a secure computing perspective?  Other suggestions?

Thanks,

Chris_______________________________________________ Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130322/0b89a611/attachment.html>


More information about the Esapi-user mailing list